From 22ea3d39c17beb59e2950f039a1f33e65c364b5e Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 17 Jun 2022 17:11:05 +0900 Subject: [PATCH] =?UTF-8?q?[KVE-2022-0193]=20=EA=B7=B8=EB=88=84=EB=B3=B4?= =?UTF-8?q?=EB=93=9C(=EC=98=81=EC=B9=B4=ED=8A=B8)=20SSRF=20&=20Business=20?= =?UTF-8?q?Logic=20Bug=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common.lib.php | 10 ++++++++++ mobile/shop/inicis/pay_approval.php | 2 +- plugin/inicert/ini_find_result.php | 7 +++---- plugin/inicert/ini_result.php | 7 +++---- shop/inicis/libs/HttpClient.php | 2 +- shop/kakaopay/kakaopay_cancel.php | 2 ++ shop/kakaopay/mobile_pay_approval.php | 4 ++-- 7 files changed, 22 insertions(+), 12 deletions(-) diff --git a/lib/common.lib.php b/lib/common.lib.php index 2d36a7fb4..3de355fa9 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3933,6 +3933,16 @@ function is_include_path_check($path='', $is_input='') return true; } +function is_inicis_url_return($url){ + $url_data = parse_url($url); + + // KG 이니시스 url이 맞는지 체크하여 맞으면 url을 리턴하고 틀리면 '' 빈값을 리턴합니다. + if (isset($url_data['host']) && preg_match('#\.inicis\.com$#i', $url_data['host'])) { + return $url; + } + return ''; +} + function check_auth_session_token($str=''){ if (get_session('ss_mb_token_key') === get_token_encryption_key($str)) { return true; diff --git a/mobile/shop/inicis/pay_approval.php b/mobile/shop/inicis/pay_approval.php index b3029d0e3..04e63fbec 100644 --- a/mobile/shop/inicis/pay_approval.php +++ b/mobile/shop/inicis/pay_approval.php @@ -8,7 +8,7 @@ set_session('P_AMT', ''); set_session('P_HASH', ''); $oid = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : ''; -$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : ''; +$p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : ''; $p_status = isset($_REQUEST['P_STATUS']) ? trim($_REQUEST['P_STATUS']) : ''; $p_tid = isset($_REQUEST['P_TID']) ? trim($_REQUEST['P_TID']) : ''; $p_rmesg1 = isset($_REQUEST['P_RMESG1']) ? trim($_REQUEST['P_RMESG1']) : ''; diff --git a/plugin/inicert/ini_find_result.php b/plugin/inicert/ini_find_result.php index c0e9825b8..5352f21f4 100644 --- a/plugin/inicert/ini_find_result.php +++ b/plugin/inicert/ini_find_result.php @@ -13,15 +13,14 @@ if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") { $post_data = json_encode($data); - $url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array(); - - if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){ + $authRequestUrl = isset($_POST["authRequestUrl"]) ? is_inicis_url_return($_POST["authRequestUrl"]) : ''; + if(!$authRequestUrl){ alert('잘못된 요청입니다.', G5_URL); } // curl 통신 시작 $ch = curl_init(); - curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]); + curl_setopt($ch, CURLOPT_URL, $authRequestUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); diff --git a/plugin/inicert/ini_result.php b/plugin/inicert/ini_result.php index 0c02d1e4b..113283b6a 100644 --- a/plugin/inicert/ini_result.php +++ b/plugin/inicert/ini_result.php @@ -13,15 +13,14 @@ if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") { $post_data = json_encode($data); - $url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array(); - - if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){ + $authRequestUrl = isset($_POST["authRequestUrl"]) ? is_inicis_url_return($_POST["authRequestUrl"]) : ''; + if(!$authRequestUrl){ alert('잘못된 요청입니다.', G5_URL); } // curl 통신 시작 $ch = curl_init(); - curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]); + curl_setopt($ch, CURLOPT_URL, $authRequestUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); diff --git a/shop/inicis/libs/HttpClient.php b/shop/inicis/libs/HttpClient.php index ac162a16e..ddc448910 100644 --- a/shop/inicis/libs/HttpClient.php +++ b/shop/inicis/libs/HttpClient.php @@ -36,7 +36,7 @@ class HttpClient { // [scheme] => https // [host] => fcstdpay.inicis.com || stdpay.inicis.com || ksstdpay.inicis.com // [path] => /api/payAuth - if (preg_match("#\.inicis\.com$#", $url_data["host"]) == false) { + if (! is_inicis_url_return($url)) { return false; } diff --git a/shop/kakaopay/kakaopay_cancel.php b/shop/kakaopay/kakaopay_cancel.php index 3e6317473..3fe1e0086 100644 --- a/shop/kakaopay/kakaopay_cancel.php +++ b/shop/kakaopay/kakaopay_cancel.php @@ -62,6 +62,8 @@ if($cancelFlag == "true") } + if(! (isset($inipay) && method_exists($inipay, 'SetField'))) return; + $TID = $tno; $inipay->SetField("type", "cancel"); // 고정 if( $default['de_kakaopay_cancelpwd'] ){ diff --git a/shop/kakaopay/mobile_pay_approval.php b/shop/kakaopay/mobile_pay_approval.php index f587d83ba..58cf413b5 100644 --- a/shop/kakaopay/mobile_pay_approval.php +++ b/shop/kakaopay/mobile_pay_approval.php @@ -13,7 +13,7 @@ set_session('P_AMT', ''); set_session('P_HASH', ''); $oid = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : ''; -$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : ''; +$p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : ''; if( ! $p_req_url || !preg_match('/^https\:\/\//i', $p_req_url)){ alert("잘못된 요청 URL 입니다."); @@ -91,7 +91,7 @@ if($_REQUEST['P_STATUS'] != '00') { $ch = curl_init(); curl_setopt($ch, CURLOPT_PORT, 443); - curl_setopt($ch, CURLOPT_URL, $_REQUEST['P_REQ_URL']); + curl_setopt($ch, CURLOPT_URL, $p_req_url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);