firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

KVE-2018-1808 취약점 수정

Browse Source
This commit is contained in:
thisgun
2018-12-12 17:28:55 +09:00
parent 82078fc781
commit 038affe798
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
adm/admin.lib.php
View File

@ -436,7 +436,7 @@ function admin_check_xss_params($params){
if( is_array($value) ){
admin_check_xss_params($params);
} else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && preg_match('/script.*?\/script/ius', $value) ){
} else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/onload=.*/ius', $value)) ){
alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
die();
}

6
bbs/alert.php
View File

@ -67,13 +67,17 @@ history.back();
<form method="post" action="<?php echo $url ?>">
<?php
foreach($_POST as $key => $value) {
$key = clean_xss_tags($url);
$value = clean_xss_tags($value);
if(strlen($value) < 1)
continue;
if(preg_match("/pass|pwd|capt|url/", $key))
continue;
?>
<input type="hidden" name="<?php echo $key ?>" value="<?php echo $value ?>">
<input type="hidden" name="<?php echo htmlspecialchars($key); ?>" value="<?php echo htmlspecialchars($value); ?>">
<?php
}
?>