From 164944dd0c69b3a06edd093a9d67616189156b5a Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Tue, 14 Jul 2015 12:10:44 +0900
Subject: [PATCH] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/alert.php               | 3 ++-
 bbs/confirm.php             | 4 ++++
 bbs/move.php                | 2 +-
 bbs/new.php                 | 2 ++
 bbs/register_form.php       | 3 +++
 bbs/search.php              | 2 +-
 lib/common.lib.php          | 7 ++++++-
 skin/new/basic/new.skin.php | 1 -
 8 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/bbs/alert.php b/bbs/alert.php
index d64b6f2fd..6b1ab26a7 100644
--- a/bbs/alert.php
+++ b/bbs/alert.php
@@ -30,7 +30,8 @@ include_once(G5_PATH.'/head.sub.php');
 
 $msg2 = str_replace("\\n", "<br>", $msg);
 
-if (!$url) $url = $_SERVER['HTTP_REFERER'];
+$url = clean_xss_tags($url);
+if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);
 
 // url 체크
 check_url_host($url);
diff --git a/bbs/confirm.php b/bbs/confirm.php
index 76e9c7652..fcf94e0e9 100644
--- a/bbs/confirm.php
+++ b/bbs/confirm.php
@@ -2,6 +2,10 @@
 include_once('./_common.php');
 include_once(G5_PATH.'/head.sub.php');
 
+$url1 = clean_xss_tags($url1);
+$url2 = clean_xss_tags($url2);
+$url3 = clean_xss_tags($url3);
+
 // url 체크
 check_url_host($url1);
 check_url_host($url2);
diff --git a/bbs/move.php b/bbs/move.php
index e3a7d86f2..a4631addf 100644
--- a/bbs/move.php
+++ b/bbs/move.php
@@ -55,7 +55,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
     <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="act" value="<?php echo $act ?>">
-    <input type="hidden" name="url" value="<?php echo $_SERVER['HTTP_REFERER'] ?>">
+    <input type="hidden" name="url" value="<?php echo clean_xss_tags($_SERVER['HTTP_REFERER']); ?>">
 
     <div class="tbl_head01 tbl_wrap">
         <table>
diff --git a/bbs/new.php b/bbs/new.php
index bbf9ccf96..9e008e861 100644
--- a/bbs/new.php
+++ b/bbs/new.php
@@ -17,6 +17,8 @@ if ($view == "w")
     $sql_common .= " and a.wr_id = a.wr_parent ";
 else if ($view == "c")
     $sql_common .= " and a.wr_id <> a.wr_parent ";
+else
+    $view = '';
 
 $mb_id = isset($_GET['mb_id']) ? ($_GET['mb_id']) : '';
 $mb_id = substr(preg_replace('#[^a-z0-9_]#i', '', $mb_id), 0, 20);
diff --git a/bbs/register_form.php b/bbs/register_form.php
index cb6fd2517..e6583e111 100644
--- a/bbs/register_form.php
+++ b/bbs/register_form.php
@@ -30,6 +30,9 @@ if ($w == "") {
         alert('개인정보처리방침안내의 내용에 동의하셔야 회원가입 하실 수 있습니다.', G5_BBS_URL.'/register.php');
     }
 
+    $agree  = preg_replace('#[^0-9]#', '', $_POST['agree']);
+    $agree2 = preg_replace('#[^0-9]#', '', $_POST['agree2']);
+
     $member['mb_birth'] = '';
     $member['mb_sex']   = '';
     $member['mb_name']  = '';
diff --git a/bbs/search.php b/bbs/search.php
index 4f4df3f19..0f3fe803b 100644
--- a/bbs/search.php
+++ b/bbs/search.php
@@ -17,7 +17,7 @@ if ($stx) {
     $stx = preg_replace('/\//', '\/', trim($stx));
     $sop = strtolower($sop);
     if (!$sop || !($sop == 'and' || $sop == 'or')) $sop = 'and'; // 연산자 and , or
-    $srows = isset($_GET['srows']) ? preg_replace('#[^0-9]#', '', $_GET['srows']) : 10;
+    $srows = isset($_GET['srows']) ? (int)preg_replace('#[^0-9]#', '', $_GET['srows']) : 10;
     if (!$srows) $srows = 10; // 한페이지에 출력하는 검색 행수
 
     $g5_search['tables'] = Array();
diff --git a/lib/common.lib.php b/lib/common.lib.php
index d8f4bc557..c7f842586 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -192,7 +192,7 @@ function confirm($msg, $url1='', $url2='', $url3='')
         alert($msg);
     }
 
-    if (!$url3) $url3 = $_SERVER['HTTP_REFERER'];
+    if (!$url3) $url3 = clean_xss_tags($_SERVER['HTTP_REFERER']);
 
     $msg = str_replace("\\n", "<br>", $msg);
 
@@ -2723,6 +2723,11 @@ function clean_xss_tags($str)
 {
     $str = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $str);
 
+    $search  = array('"', "'");
+    $replace = array('&#34;', '&#39;');
+
+    $str = str_replace($search, $replace, $str);
+
     return $str;
 }
 
diff --git a/skin/new/basic/new.skin.php b/skin/new/basic/new.skin.php
index 085eec0e6..2558d8118 100644
--- a/skin/new/basic/new.skin.php
+++ b/skin/new/basic/new.skin.php
@@ -45,7 +45,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$new_skin_url.'/style.css">', 0);
 <input type="hidden" name="view"     value="<?php echo $view; ?>">
 <input type="hidden" name="sfl"      value="<?php echo $sfl; ?>">
 <input type="hidden" name="stx"      value="<?php echo $stx; ?>">
-<input type="hidden" name="srows"    value="<?php echo $srows; ?>">
 <input type="hidden" name="bo_table" value="<?php echo $bo_table; ?>">
 <input type="hidden" name="page"     value="<?php echo $page; ?>">
 <input type="hidden" name="pressed"  value="">