KVE-2019-1145 XSS, CSRF를 이용한 원격코드 취약점 수정

2019-07-15 18:35:16 +09:00
parent 828b362f67
commit 05f913258d
2 changed files with 4 additions and 1 deletions
--- a/adm/shop_admin/categoryformupdate.php
+++ b/adm/shop_admin/categoryformupdate.php
@ -48,6 +48,9 @@ foreach( $check_keys as $key ){
    }
 }

+$ca_include_head = $_POST['ca_include_head'];
+$ca_include_tail = $_POST['ca_include_tail'];
+
 if ($w == "u" || $w == "d")
    check_demo();

--- a/adm/shop_admin/couponmember.php
+++ b/adm/shop_admin/couponmember.php
@ -13,7 +13,7 @@ $sql_common = " from {$g5['member_table']} ";
 $sql_where = " where mb_id <> '{$config['cf_admin']}' and mb_leave_date = '' and mb_intercept_date ='' ";

 if($mb_name){
-    $mb_name = strip_tags($mb_name);
+    $mb_name = preg_replace('/\!\?\*$#<>()\[\]\{\}/i', '', strip_tags($mb_name));
    $sql_where .= " and mb_name like '%".sql_real_escape_string($mb_name)."%' ";
 }