6月份dedecms修补的漏洞是一个原理
plus/guestbook.inc.php

require(dirname(__FILE__).'/../../include/common.inc.php');
require_once(DEDEINC."/filter.inc.php"); 

plus/guestbook.inc.php

require_once(dirname(__FILE__).'/guestbook/guestbook.inc.php');.
...........
$query = "INSERT INTO `#@__guestbook`(title,tid,mid,uname,email,homepage,qq,face,msg,ip,dtime,ischeck)  VALUES ('$title','$tid','{$g_mid}','$uname','$email','$homepage','$qq','$img','$msg','$ip','$dtime','$needCheck'); "; 

$img变量未初始化。

plus/bookfeedback.php

require_once(dirname(__FILE__)."/../include/common.inc.php");
require_once(DEDEINC."/filter.inc.php");r
equire_once(DEDEINC."/channelunit.func.php"); 

..............        //保存评论内容
        if($comtype == 'comments'){
        $arctitle = addslashes($arcRow['arctitle']);
        $arctitle = $arcRow['arctitle'];
            if($msg!='')
            {
            $inquery = "INSERT INTO `#@__bookfeedback`(`aid`,`catid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$catid','$username','$bookname','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";
            $rs = $dsql->ExecuteNoneQuery($inquery);
            if(!$rs){
                echo $dsql->GetError();
                exit();
                }
            }
    }
    //引用回复
    elseif ($comtype == 'reply'){
        $row = $dsql->GetOne("Select * from `#@__bookfeedback` where id ='$fid'");
        $arctitle = $row['arctitle'];
        $aid =$row['aid'];
        $msg = $quotemsg.$msg;
        $msg = HtmlReplace($msg,2);
        $inquery = "INSERT INTO `#@__bookfeedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";
         $dsql->ExecuteNoneQuery($inquery);
} 

$catid变量以及$typeid变量未初始化。