firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

[KVE-2022-0193] 그누보드(영카트) SSRF & Business Logic Bug 취약점 수정

Browse Source
This commit is contained in:
thisgun
2022-06-17 17:11:05 +09:00
parent d4f4612b22
commit 22ea3d39c1
7 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/common.lib.php
View File

@ -3933,6 +3933,16 @@ function is_include_path_check($path='', $is_input='')
return true; return true;
} }
function is_inicis_url_return($url){
$url_data = parse_url($url);
// KG 이니시스 url이 맞는지 체크하여 맞으면 url을 리턴하고 틀리면 '' 빈값을 리턴합니다.
if (isset($url_data['host']) && preg_match('#\.inicis\.com$#i', $url_data['host'])) {
return $url;
}
return '';
}
function check_auth_session_token($str=''){ function check_auth_session_token($str=''){
if (get_session('ss_mb_token_key') === get_token_encryption_key($str)) { if (get_session('ss_mb_token_key') === get_token_encryption_key($str)) {
return true; return true;

2
mobile/shop/inicis/pay_approval.php
View File

@ -8,7 +8,7 @@ set_session('P_AMT', '');
set_session('P_HASH', ''); set_session('P_HASH', '');
$oid = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : ''; $oid = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : '';
$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : ''; $p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : '';
$p_status = isset($_REQUEST['P_STATUS']) ? trim($_REQUEST['P_STATUS']) : ''; $p_status = isset($_REQUEST['P_STATUS']) ? trim($_REQUEST['P_STATUS']) : '';
$p_tid = isset($_REQUEST['P_TID']) ? trim($_REQUEST['P_TID']) : ''; $p_tid = isset($_REQUEST['P_TID']) ? trim($_REQUEST['P_TID']) : '';
$p_rmesg1 = isset($_REQUEST['P_RMESG1']) ? trim($_REQUEST['P_RMESG1']) : ''; $p_rmesg1 = isset($_REQUEST['P_RMESG1']) ? trim($_REQUEST['P_RMESG1']) : '';

7
plugin/inicert/ini_find_result.php
View File

@ -13,15 +13,14 @@ if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") {
$post_data = json_encode($data); $post_data = json_encode($data);
$url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array(); $authRequestUrl = isset($_POST["authRequestUrl"]) ? is_inicis_url_return($_POST["authRequestUrl"]) : '';
if(!$authRequestUrl){
if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){
alert('잘못된 요청입니다.', G5_URL); alert('잘못된 요청입니다.', G5_URL);
} }
// curl 통신 시작 // curl 통신 시작
$ch = curl_init(); $ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]); curl_setopt($ch, CURLOPT_URL, $authRequestUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);

7
plugin/inicert/ini_result.php
View File

@ -13,15 +13,14 @@ if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") {
$post_data = json_encode($data); $post_data = json_encode($data);
$url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array(); $authRequestUrl = isset($_POST["authRequestUrl"]) ? is_inicis_url_return($_POST["authRequestUrl"]) : '';
if(!$authRequestUrl){
if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){
alert('잘못된 요청입니다.', G5_URL); alert('잘못된 요청입니다.', G5_URL);
} }
// curl 통신 시작 // curl 통신 시작
$ch = curl_init(); $ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]); curl_setopt($ch, CURLOPT_URL, $authRequestUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);

2
shop/inicis/libs/HttpClient.php
View File

@ -36,7 +36,7 @@ class HttpClient {
// [scheme] => https // [scheme] => https
// [host] => fcstdpay.inicis.com || stdpay.inicis.com || ksstdpay.inicis.com // [host] => fcstdpay.inicis.com || stdpay.inicis.com || ksstdpay.inicis.com
// [path] => /api/payAuth // [path] => /api/payAuth
if (preg_match("#\.inicis\.com$#", $url_data["host"]) == false) { if (! is_inicis_url_return($url)) {
return false; return false;
} }

2
shop/kakaopay/kakaopay_cancel.php
View File

@ -62,6 +62,8 @@ if($cancelFlag == "true")
} }
if(! (isset($inipay) && method_exists($inipay, 'SetField'))) return;
$TID = $tno; $TID = $tno;
$inipay->SetField("type", "cancel"); // 고정 $inipay->SetField("type", "cancel"); // 고정
if( $default['de_kakaopay_cancelpwd'] ){ if( $default['de_kakaopay_cancelpwd'] ){

4
shop/kakaopay/mobile_pay_approval.php
View File

@ -13,7 +13,7 @@ set_session('P_AMT', '');
set_session('P_HASH', ''); set_session('P_HASH', '');
$oid = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : ''; $oid = isset($_REQUEST['P_NOTI']) ? trim($_REQUEST['P_NOTI']) : '';
$p_req_url = isset($_REQUEST['P_REQ_URL']) ? trim($_REQUEST['P_REQ_URL']) : ''; $p_req_url = isset($_REQUEST['P_REQ_URL']) ? is_inicis_url_return(trim($_REQUEST['P_REQ_URL'])) : '';
if( ! $p_req_url || !preg_match('/^https\:\/\//i', $p_req_url)){ if( ! $p_req_url || !preg_match('/^https\:\/\//i', $p_req_url)){
alert("잘못된 요청 URL 입니다."); alert("잘못된 요청 URL 입니다.");
@ -91,7 +91,7 @@ if($_REQUEST['P_STATUS'] != '00') {
$ch = curl_init(); $ch = curl_init();
curl_setopt($ch, CURLOPT_PORT, 443); curl_setopt($ch, CURLOPT_PORT, 443);
curl_setopt($ch, CURLOPT_URL, $_REQUEST['P_REQ_URL']); curl_setopt($ch, CURLOPT_URL, $p_req_url);
curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);