From 18d4a60e035cc578e979a6f4a0b42477ddb7f032 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 24 May 2019 10:44:48 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2019-0688,0689,0691,0694,0708,0709,0750,07?=
 =?UTF-8?q?62,0791,0802,0846]=20=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C,?=
 =?UTF-8?q?=EC=98=81=EC=B9=B4=ED=8A=B8=20=EB=8B=A4=EC=A4=91=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/board_list_update.php | 24 ++++++++++++------------
 adm/contentform.php       |  4 ++--
 head.sub.php              |  3 +++
 lib/common.lib.php        |  4 ++--
 plugin/okname/hpcert1.php | 10 ++++++++--
 plugin/okname/hpcert2.php | 10 ++++++++--
 plugin/okname/ipin1.php   | 10 ++++++++--
 plugin/okname/ipin2.php   | 10 ++++++++--
 theme/basic/head.sub.php  |  3 +++
 9 files changed, 54 insertions(+), 24 deletions(-)

diff --git a/adm/board_list_update.php b/adm/board_list_update.php
index 90a1c5d33..a7f358c1f 100644
--- a/adm/board_list_update.php
+++ b/adm/board_list_update.php
@@ -30,18 +30,18 @@ if ($_POST['act_button'] == "선택수정") {
         }
 
         $sql = " update {$g5['board_table']}
-                    set gr_id               = '".sql_real_escape_string($_POST['gr_id'][$k])."',
-                        bo_subject          = '".sql_real_escape_string($_POST['bo_subject'][$k])."',
-                        bo_device           = '".sql_real_escape_string($_POST['bo_device'][$k])."',
-                        bo_skin             = '".sql_real_escape_string($_POST['bo_skin'][$k])."',
-                        bo_mobile_skin      = '".sql_real_escape_string($_POST['bo_mobile_skin'][$k])."',
-                        bo_read_point       = '".sql_real_escape_string($_POST['bo_read_point'][$k])."',
-                        bo_write_point      = '".sql_real_escape_string($_POST['bo_write_point'][$k])."',
-                        bo_comment_point    = '".sql_real_escape_string($_POST['bo_comment_point'][$k])."',
-                        bo_download_point   = '".sql_real_escape_string($_POST['bo_download_point'][$k])."',
-                        bo_use_search       = '".sql_real_escape_string($_POST['bo_use_search'][$k])."',
-                        bo_use_sns          = '".sql_real_escape_string($_POST['bo_use_sns'][$k])."',
-                        bo_order            = '".sql_real_escape_string($_POST['bo_order'][$k])."'
+                    set gr_id               = '".sql_real_escape_string(strip_tags($_POST['gr_id'][$k]))."',
+                        bo_subject          = '".sql_real_escape_string(strip_tags($_POST['bo_subject'][$k]))."',
+                        bo_device           = '".sql_real_escape_string(strip_tags($_POST['bo_device'][$k]))."',
+                        bo_skin             = '".sql_real_escape_string(strip_tags($_POST['bo_skin'][$k]))."',
+                        bo_mobile_skin      = '".sql_real_escape_string(strip_tags($_POST['bo_mobile_skin'][$k]))."',
+                        bo_read_point       = '".sql_real_escape_string(strip_tags($_POST['bo_read_point'][$k]))."',
+                        bo_write_point      = '".sql_real_escape_string(strip_tags($_POST['bo_write_point'][$k]))."',
+                        bo_comment_point    = '".sql_real_escape_string(strip_tags($_POST['bo_comment_point'][$k]))."',
+                        bo_download_point   = '".sql_real_escape_string(strip_tags($_POST['bo_download_point'][$k]))."',
+                        bo_use_search       = '".sql_real_escape_string(strip_tags($_POST['bo_use_search'][$k]))."',
+                        bo_use_sns          = '".sql_real_escape_string(strip_tags($_POST['bo_use_sns'][$k]))."',
+                        bo_order            = '".sql_real_escape_string(strip_tags($_POST['bo_order'][$k]))."'
                   where bo_table            = '".sql_real_escape_string($_POST['board_table'][$k])."' ";
 
         sql_query($sql);
diff --git a/adm/contentform.php b/adm/contentform.php
index 6217e4603..133f36e2e 100644
--- a/adm/contentform.php
+++ b/adm/contentform.php
@@ -86,11 +86,11 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
     </tr>
     <tr>
         <th scope="row">내용</th>
-        <td><?php echo editor_html('co_content', get_text($co['co_content'], 0)); ?></td>
+        <td><?php echo editor_html('co_content', get_text(html_purifier($co['co_content']), 0)); ?></td>
     </tr>
     <tr>
         <th scope="row">모바일 내용</th>
-        <td><?php echo editor_html('co_mobile_content', get_text($co['co_mobile_content'], 0)); ?></td>
+        <td><?php echo editor_html('co_mobile_content', get_text(html_purifier($co['co_mobile_content']), 0)); ?></td>
     </tr>
     <tr>
         <th scope="row"><label for="co_skin">스킨 디렉토리<strong class="sound_only">필수</strong></label></th>
diff --git a/head.sub.php b/head.sub.php
index 020900ea2..991d51727 100644
--- a/head.sub.php
+++ b/head.sub.php
@@ -19,6 +19,9 @@ else {
     $g5_head_title .= " | ".$config['cf_title'];
 }
 
+$g5['title'] = strip_tags(get_text($g5['title']));
+$g5_head_title = strip_tags(get_text($g5_head_title));
+
 // 현재 접속자
 // 게시판 제목에 ' 포함되면 오류 발생
 $g5['lo_location'] = addslashes($g5['title']);
diff --git a/lib/common.lib.php b/lib/common.lib.php
index d4197e468..a1abcb54b 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3416,7 +3416,7 @@ function get_head_title($title){
     global $g5;
 
     if( isset($g5['board_title']) && $g5['board_title'] ){
-        $title = $g5['board_title'];
+        $title = strip_tags(get_text($g5['board_title']));
     }
 
     return $title;
@@ -3547,7 +3547,7 @@ function is_include_path_check($path='', $is_input='')
             if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $replace_path) ){
                 return false;
             }
-            if( preg_match('/\.\.\//i', $replace_path) && preg_match('/plugin\//i', $replace_path) && preg_match('/okname\//i', $replace_path) ){
+            if( (preg_match('/\.\.\//i', $replace_path) || preg_match('/^\/.*/i', $replace_path)) && preg_match('/plugin\//i', $replace_path) && preg_match('/okname\//i', $replace_path) ){
                 return false;
             }
         }
diff --git a/plugin/okname/hpcert1.php b/plugin/okname/hpcert1.php
index 45c64bd8f..d81aaeb73 100644
--- a/plugin/okname/hpcert1.php
+++ b/plugin/okname/hpcert1.php
@@ -1,8 +1,14 @@
 <?php
 include_once('./_common.php');
 
-if( isset($_REQUEST['exe']) && isset($exe) && $exe ){
-    die('bad request');
+$check_arrays = array('exe', 'svcTxSeqno', 'name', 'birthday', 'gender', 'ntvFrnrTpCd', 'mblTelCmmCd', 'mbphnNo', 'rsv1', 'rsv2', 'rsv3', 'returnMsg', 'returnUrl', 'inTpBit', 'hsCertMsrCd', 'hsCertRqstCausCd', 'memId', 'clientIp', 'clientDomain', 'endPointURL', 'logPath');
+
+foreach($check_arrays as $key){
+    if( isset($_REQUEST[$key]) && $_REQUEST[$key] ){
+        die('bad request');
+    }
+
+    $$key = '';
 }
 
 // 금일 인증시도 회수 체크
diff --git a/plugin/okname/hpcert2.php b/plugin/okname/hpcert2.php
index e28d03d45..ab8d24240 100644
--- a/plugin/okname/hpcert2.php
+++ b/plugin/okname/hpcert2.php
@@ -1,8 +1,14 @@
 <?php
 include_once('./_common.php');
 
-if( isset($_REQUEST['exe']) && isset($exe) && $exe ){
-    die('bad request');
+$check_arrays = array('exe', 'keypath', 'memId', 'endPointURL', 'logPath');
+
+foreach($check_arrays as $key){
+    if( isset($_REQUEST[$key]) && $_REQUEST[$key] ){
+        die('bad request');
+    }
+
+    $$key = '';
 }
 
 // KISA 취약점 내용(KVE-2018-0291) hpcert1.php의 $cmd 함수에 대한 인자 값은 hpcert_config.php 파일에서 설정되나, 이를 다른 페이지에서 포함한 뒤 호출할 시 임의 값 설정 가능
diff --git a/plugin/okname/ipin1.php b/plugin/okname/ipin1.php
index f694ea693..620b3c582 100644
--- a/plugin/okname/ipin1.php
+++ b/plugin/okname/ipin1.php
@@ -1,8 +1,14 @@
 <?php
 include_once('./_common.php');
 
-if( isset($_REQUEST['exe']) && isset($exe) && $exe ){
-    die('bad request');
+$check_arrays = array('exe', 'keypath', 'memid', 'reserved1', 'reserved2', 'EndPointURL', 'logpath', 'option');
+
+foreach($check_arrays as $key){
+    if( isset($_REQUEST[$key]) && $_REQUEST[$key] ){
+        die('bad request');
+    }
+
+    $$key = '';
 }
 
 // 금일 인증시도 회수 체크
diff --git a/plugin/okname/ipin2.php b/plugin/okname/ipin2.php
index 11b86753c..323789e6d 100644
--- a/plugin/okname/ipin2.php
+++ b/plugin/okname/ipin2.php
@@ -1,8 +1,14 @@
 <?php
 include_once('./_common.php');
 
-if( isset($_REQUEST['exe']) && isset($exe) && $exe ){
-    die('bad request');
+$check_arrays = array('exe', 'keypath', 'memid', 'EndPointURL', 'cpubkey', 'csig', 'encdata', 'logpath', 'option');
+
+foreach($check_arrays as $key){
+    if( isset($_REQUEST[$key]) && $_REQUEST[$key] ){
+        die('bad request');
+    }
+
+    $$key = '';
 }
 
 include('./ipin.config.php');
diff --git a/theme/basic/head.sub.php b/theme/basic/head.sub.php
index fdbcf09af..5bb31aa9c 100644
--- a/theme/basic/head.sub.php
+++ b/theme/basic/head.sub.php
@@ -13,6 +13,9 @@ else {
     $g5_head_title .= " | ".$config['cf_title'];
 }
 
+$g5['title'] = strip_tags(get_text($g5['title']));
+$g5_head_title = strip_tags(get_text($g5_head_title));
+
 // 현재 접속자
 // 게시판 제목에 ' 포함되면 오류 발생
 $g5['lo_location'] = addslashes($g5['title']);