From 0abf00d793ad7e4bb62daa381c47dd8561ae425f Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 20 Apr 2018 16:00:54 +0900
Subject: [PATCH] =?UTF-8?q?=ED=81=AC=EB=A1=AC=20=EB=AA=A8=EB=B0=94?=
 =?UTF-8?q?=EC=9D=BC=20=EB=8D=B0=EC=9D=B4=ED=84=B0=20=EC=A0=88=EC=95=BD=20?=
 =?UTF-8?q?=EB=AA=A8=EB=93=9C=20=EA=B4=80=EB=A6=AC=EC=9E=90=20=ED=8E=98?=
 =?UTF-8?q?=EC=9D=B4=EC=A7=80=20=EC=A0=91=EC=86=8D=20=EC=98=A4=EB=A5=98=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/admin.lib.php   | 2 +-
 bbs/login_check.php | 2 +-
 lib/common.lib.php  | 8 ++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index 822f5857b..80abc95f0 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -436,7 +436,7 @@ else if ($is_admin != 'super')
 }
 
 // 관리자의 아이피, 브라우저와 다르다면 세션을 끊고 관리자에게 메일을 보낸다.
-$admin_key = md5($member['mb_datetime'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
+$admin_key = md5($member['mb_datetime'] . get_real_client_ip() . $_SERVER['HTTP_USER_AGENT']);
 if (get_session('ss_mb_key') !== $admin_key) {
 
     session_destroy();
diff --git a/bbs/login_check.php b/bbs/login_check.php
index ec9bf3dcf..28075ccc1 100644
--- a/bbs/login_check.php
+++ b/bbs/login_check.php
@@ -56,7 +56,7 @@ if ( is_use_email_certify() && !preg_match("/[1-9]/", $mb['mb_email_certify']))
 // 회원아이디 세션 생성
 set_session('ss_mb_id', $mb['mb_id']);
 // FLASH XSS 공격에 대응하기 위하여 회원의 고유키를 생성해 놓는다. 관리자에서 검사함 - 110106
-set_session('ss_mb_key', md5($mb['mb_datetime'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
+set_session('ss_mb_key', md5($mb['mb_datetime'] . get_real_client_ip() . $_SERVER['HTTP_USER_AGENT']));
 
 // 포인트 체크
 if($config['cf_use_point']) {
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 30db1d554..69b64e586 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3403,6 +3403,14 @@ function is_use_email_certify(){
     return $config['cf_use_email_certify'];
 }
 
+function get_real_client_ip(){
+
+    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
+        return $_SERVER['HTTP_X_FORWARDED_FOR'];
+
+    return $_SERVER['REMOTE_ADDR'];
+}
+
 function get_call_func_cache($func, $args=array()){
     
     static $cache = array();