[KVE-2022-0193] 그누보드(영카트) SSRF & Business Logic Bug 취약점 수정

2022-06-17 17:11:05 +09:00
parent d4f4612b22
commit 22ea3d39c1
7 changed files with 22 additions and 12 deletions
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -3933,6 +3933,16 @@ function is_include_path_check($path='', $is_input='')
    return true;
 }

+function is_inicis_url_return($url){
+    $url_data = parse_url($url);
+
+    // KG 이니시스 url이 맞는지 체크하여 맞으면 url을 리턴하고 틀리면 '' 빈값을 리턴합니다.
+    if (isset($url_data['host']) && preg_match('#\.inicis\.com$#i', $url_data['host'])) {
+        return $url;
+    }
+    return '';
+}
+
 function check_auth_session_token($str=''){
    if (get_session('ss_mb_token_key') === get_token_encryption_key($str)) {
        return true;
--- a/mobile/shop/inicis/pay_approval.php
+++ b/mobile/shop/inicis/pay_approval.php
@ -8,7 +8,7 @@ set_session('P_AMT',  '');
 set_session('P_HASH', '');

 $oid  = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : '';
-$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : '';
+$p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : '';
 $p_status = isset($_REQUEST['P_STATUS']) ? trim($_REQUEST['P_STATUS']) : '';
 $p_tid = isset($_REQUEST['P_TID']) ? trim($_REQUEST['P_TID']) : '';
 $p_rmesg1 = isset($_REQUEST['P_RMESG1']) ? trim($_REQUEST['P_RMESG1']) : '';
--- a/plugin/inicert/ini_find_result.php
+++ b/plugin/inicert/ini_find_result.php
@ -13,15 +13,14 @@ if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") {

    $post_data = json_encode($data);

-    $url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array();
-
-    if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){
+    $authRequestUrl = isset($_POST["authRequestUrl"]) ? is_inicis_url_return($_POST["authRequestUrl"]) : '';
+    if(!$authRequestUrl){
        alert('잘못된 요청입니다.', G5_URL);
    }

    // curl 통신 시작 
    $ch = curl_init();
-    curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]);
+    curl_setopt($ch, CURLOPT_URL, $authRequestUrl);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
--- a/plugin/inicert/ini_result.php
+++ b/plugin/inicert/ini_result.php
@ -13,15 +13,14 @@ if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") {

    $post_data = json_encode($data);

-    $url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array();
-
-    if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){
+    $authRequestUrl = isset($_POST["authRequestUrl"]) ? is_inicis_url_return($_POST["authRequestUrl"]) : '';
+    if(!$authRequestUrl){
        alert('잘못된 요청입니다.', G5_URL);
    }

    // curl 통신 시작 
    $ch = curl_init();
-    curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]);
+    curl_setopt($ch, CURLOPT_URL, $authRequestUrl);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
--- a/shop/inicis/libs/HttpClient.php
+++ b/shop/inicis/libs/HttpClient.php
@ -36,7 +36,7 @@ class HttpClient {
        // [scheme] => https
        // [host] => fcstdpay.inicis.com || stdpay.inicis.com || ksstdpay.inicis.com
        // [path] => /api/payAuth
-        if (preg_match("#\.inicis\.com$#", $url_data["host"]) == false) {
+        if (! is_inicis_url_return($url)) {
            return false;
        }

--- a/shop/kakaopay/kakaopay_cancel.php
+++ b/shop/kakaopay/kakaopay_cancel.php
@ -62,6 +62,8 @@ if($cancelFlag == "true")

    }

+    if(! (isset($inipay) && method_exists($inipay, 'SetField'))) return;
+
    $TID = $tno;
    $inipay->SetField("type", "cancel"); // 고정
    if( $default['de_kakaopay_cancelpwd'] ){
--- a/shop/kakaopay/mobile_pay_approval.php
+++ b/shop/kakaopay/mobile_pay_approval.php
@ -13,7 +13,7 @@ set_session('P_AMT',  '');
 set_session('P_HASH', '');

 $oid  = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : '';
-$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : '';
+$p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : '';

 if( ! $p_req_url || !preg_match('/^https\:\/\//i', $p_req_url)){
    alert("잘못된 요청 URL 입니다.");
@ -91,7 +91,7 @@ if($_REQUEST['P_STATUS'] != '00') {

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_PORT, 443);
-    curl_setopt($ch, CURLOPT_URL, $_REQUEST['P_REQ_URL']);
+    curl_setopt($ch, CURLOPT_URL, $p_req_url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);