[KVE-2022-0193] 그누보드(영카트) SSRF & Business Logic Bug 취약점 수정

shop/inicis/libs/HttpClient.php

@@ -36,7 +36,7 @@ class HttpClient {
         // [scheme] => https
         // [host] => fcstdpay.inicis.com || stdpay.inicis.com || ksstdpay.inicis.com
         // [path] => /api/payAuth
-        if (preg_match("#\.inicis\.com$#", $url_data["host"]) == false) {
+        if (! is_inicis_url_return($url)) {
             return false;
         }
 

shop/kakaopay/kakaopay_cancel.php

@@ -62,6 +62,8 @@ if($cancelFlag == "true")
 
     }
 
+    if(! (isset($inipay) && method_exists($inipay, 'SetField'))) return;
+
     $TID = $tno;
     $inipay->SetField("type", "cancel"); // 고정
     if( $default['de_kakaopay_cancelpwd'] ){

shop/kakaopay/mobile_pay_approval.php

@@ -13,7 +13,7 @@ set_session('P_AMT',  '');
 set_session('P_HASH', '');
 
 $oid  = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : '';
-$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : '';
+$p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : '';
 
 if( ! $p_req_url || !preg_match('/^https\:\/\//i', $p_req_url)){
     alert("잘못된 요청 URL 입니다.");
@@ -91,7 +91,7 @@ if($_REQUEST['P_STATUS'] != '00') {
 
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_PORT, 443);
-    curl_setopt($ch, CURLOPT_URL, $_REQUEST['P_REQ_URL']);
+    curl_setopt($ch, CURLOPT_URL, $p_req_url);
     curl_setopt($ch, CURLOPT_POST, 1);
     curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);