firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

KVE-2018-1808 취약점 수정

Browse Source
This commit is contained in:
thisgun
2018-12-12 17:28:55 +09:00
parent 82078fc781
commit 038affe798
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
adm/admin.lib.php
View File

@ -436,7 +436,7 @@ function admin_check_xss_params($params){
if( is_array($value) ){ if( is_array($value) ){
admin_check_xss_params($params); admin_check_xss_params($params);
} else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && preg_match('/script.*?\/script/ius', $value) ){ } else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/onload=.*/ius', $value)) ){
alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.'); alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
die(); die();
} }

6
bbs/alert.php
View File

@ -67,13 +67,17 @@ history.back();
<form method="post" action="<?php echo $url ?>"> <form method="post" action="<?php echo $url ?>">
<?php <?php
foreach($_POST as $key => $value) { foreach($_POST as $key => $value) {
$key = clean_xss_tags($url);
$value = clean_xss_tags($value);
if(strlen($value) < 1) if(strlen($value) < 1)
continue; continue;
if(preg_match("/pass|pwd|capt|url/", $key)) if(preg_match("/pass|pwd|capt|url/", $key))
continue; continue;
?> ?>
<input type="hidden" name="<?php echo $key ?>" value="<?php echo $value ?>"> <input type="hidden" name="<?php echo htmlspecialchars($key); ?>" value="<?php echo htmlspecialchars($value); ?>">
<?php <?php
} }
?> ?>