[原文]Multiple SQL injection vulnerabilities in PHPKit 1.6.1 allow remote attackers to execute arbitrary SQL commands via the (1) letter parameter to login/member.php or (2) im_receiver parameter to login/imcenter.php.
PHPKit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'member.php' script not properly sanitizing user-supplied input to the 'usernick' and 'letter' variables. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Set the 'magic_quotes_gpc' PHP option to 'on'.