firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

관리자 CSRF 취약점 수정

Browse Source
This commit is contained in:
chicpro
2015-11-23 18:22:10 +09:00
parent 976c9d0f9b
commit 32d09cff7d
49 changed files with 179 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
adm/admin.js
View File

@ -71,4 +71,51 @@ function delete_confirm2(msg)
return true;
else
return false;
}
}
function get_ajax_token()
{
var token = "";
$.ajax({
type: "POST",
url: "./ajax.token.php",
cache: false,
async: false,
dataType: "json",
success: function(data) {
if(data.error) {
alert(data.error);
if(data.url)
document.location.href = data.url;
return false;
}
token = data.token;
}
});
return token;
}
$(function() {
$(document).on("click", "form input:submit", function() {
var f = this.form;
var token = get_ajax_token();
if(!token) {
alert("토큰 정보가 올바르지 않습니다.");
return false;
}
var $f = $(f);
if(typeof f.token === "undefined")
$f.append('<input type="hidden" name="token" value="">');
$f.find("input[name=token]").val(token);
return true;
});
});

48
adm/admin.lib.php
View File

@ -346,6 +346,54 @@ function order_select($fld, $sel='')
return $s;
}
// 불법접근을 막도록 토큰을 생성하면서 토큰값을 리턴
function get_admin_token()
{
$token = md5(uniqid(rand(), true));
set_session('ss_admin_token', $token);
return $token;
}
// POST로 넘어온 토큰과 세션에 저장된 토큰 비교
function check_admin_token()
{
$token = get_session('ss_admin_token');
set_session('ss_admin_token', '');
if(!$token || !$_POST['token'] || $token != $_POST['token'])
alert('올바른 방법으로 이용해 주십시오.');
return true;
}
// 관리자 페이지 referer 체크
function admin_referer_check($return=false)
{
$referer = trim($_SERVER['HTTP_REFERER']);
if(!$referer) {
$msg = '정보가 올바르지 않습니다.';
if($return)
return $msg;
else
alert($msg, G5_URL);
}
$p = @parse_url($referer);
$host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
if($host != $p['host']) {
$msg = '올바른 방법으로 이용해 주십시오.';
if($return)
return $msg;
else
alert($msg, G5_URL);
}
}
// 접근 권한 검사
if (!$member['mb_id'])
{

14
adm/ajax.token.php Normal file
View File

@ -0,0 +1,14 @@
<?php
include_once('./_common.php');
include_once(G5_LIB_PATH.'/json.lib.php');
set_session('ss_admin_token', '');
$error = admin_referer_check(true);
if($error)
die(json_encode(array('error'=>$error, 'url'=>G5_URL)));
$token = get_admin_token();
die(json_encode(array('error'=>'', 'token'=>$token, 'url'=>'')));
?>

6
adm/auth_list.php
View File

@ -5,8 +5,6 @@ include_once('./_common.php');
if ($is_admin != 'super')
alert('최고관리자만 접근 가능합니다.');
$token = get_token();
$sql_common = " from {$g5['auth_table']} a left join {$g5['member_table']} b on (a.mb_id=b.mb_id) ";
$sql_search = " where (1) ";
@ -73,7 +71,7 @@ $colspan = 5;
<input type="hidden" name="sfl" value="<?php echo $sfl ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="tbl_head01 tbl_wrap">
<table>
@ -168,7 +166,7 @@ echo $pagelist;
<input type="hidden" name="sst" value="<?php echo $sst ?>">
<input type="hidden" name="sod" value="<?php echo $sod ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<section id="add_admin">
<h2 class="h2_frm">관리권한 추가</h2>

2
adm/auth_list_delete.php
View File

@ -7,7 +7,7 @@ check_demo();
if ($is_admin != 'super')
alert('최고관리자만 접근 가능합니다.');
check_token();
check_admin_token();
$count = count($_POST['chk']);

2
adm/auth_update.php
View File

@ -9,7 +9,7 @@ $mb = get_member($mb_id);
if (!$mb['mb_id'])
alert('존재하는 회원아이디가 아닙니다.');
check_token();
check_admin_token();
$sql = " insert into {$g5['auth_table']}
set mb_id = '{$_POST['mb_id']}',

1
adm/board_copy.php
View File

@ -13,6 +13,7 @@ include_once(G5_PATH.'/head.sub.php');
<form name="fboardcopy" id="fboardcopy" action="./board_copy_update.php" onsubmit="return fboardcopy_check(this);" method="post">
<input type="hidden" name="bo_table" value="<?php echo $bo_table ?>" id="bo_table">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">
<table>

2
adm/board_copy_update.php
View File

@ -4,6 +4,8 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'w');
check_admin_token();
$target_table = trim($_POST['target_table']);
$target_subject = trim($_POST['target_subject']);

1
adm/board_form.php
View File

@ -166,6 +166,7 @@ $frm_submit .= '</div>';
<input type="hidden" name="sst" value="<?php echo $sst ?>">
<input type="hidden" name="sod" value="<?php echo $sod ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="">
<section id="anc_bo_basic">
<h2 class="h2_frm">게시판 기본 설정</h2>

2
adm/board_form_update.php
View File

@ -7,6 +7,8 @@ if ($w == 'u')
auth_check($auth[$sub_menu], 'w');
check_admin_token();
if (!$_POST['gr_id']) { alert('그룹 ID는 반드시 선택하세요.'); }
if (!$bo_table) { alert('게시판 TABLE명은 반드시 입력하세요.'); }
if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); }

2
adm/board_list_update.php
View File

@ -51,7 +51,7 @@ if ($_POST['act_button'] == "선택수정") {
auth_check($auth[$sub_menu], 'd');
check_token();
check_admin_token();
// _BOARD_DELETE_ 상수를 선언해야 board_delete.inc.php 가 정상 작동함
define('_BOARD_DELETE_', true);

1
adm/boardgroup_form.php
View File

@ -38,6 +38,7 @@ include_once('./admin.head.php');
<input type="hidden" name="sst" value="<?php echo $sst ?>">
<input type="hidden" name="sod" value="<?php echo $sod ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">
<table>

2
adm/boardgroup_form_update.php
View File

@ -9,6 +9,8 @@ auth_check($auth[$sub_menu], 'w');
if ($is_admin != 'super' && $w == '') alert('최고관리자만 접근 가능합니다.');
check_admin_token();
if (!preg_match("/^([A-Za-z0-9_]{1,10})$/", $_POST['gr_id']))
alert('그룹 ID는 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (10자 이내)');

2
adm/boardgroup_list.php
View File

@ -88,7 +88,7 @@ $colspan = 10;
<input type="hidden" name="sfl" value="<?php echo $sfl ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="tbl_head01 tbl_wrap">
<table>

2
adm/boardgroup_list_update.php
View File

@ -8,6 +8,8 @@ check_demo();
auth_check($auth[$sub_menu], 'w');
check_admin_token();
$count = count($_POST['chk']);
if(!$count)

4
adm/boardgroupmember_form.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'w');
$token = get_token();
$mb = get_member($mb_id);
if (!$mb['mb_id'])
alert('존재하지 않는 회원입니다.');
@ -18,7 +16,7 @@ $colspan = 4;
<form name="fboardgroupmember_form" id="fboardgroupmember_form" action="./boardgroupmember_update.php" onsubmit="return boardgroupmember_form_check(this)" method="post">
<input type="hidden" name="mb_id" value="<?php echo $mb['mb_id'] ?>" id="mb_id">
<input type="hidden" name="token" value="<?php echo $token ?>" id="token">
<input type="hidden" name="token" value="" id="token">
<div class="local_cmd01 local_cmd">
<p>아이디 <b><?php echo $mb['mb_id'] ?></b>, 이름 <b><?php echo get_text($mb['mb_name']); ?></b>, 닉네임 <b><?php echo $mb['mb_nick'] ?></b></p>
<label for="gr_id">그룹지정</label>

4
adm/boardgroupmember_update.php
View File

@ -28,7 +28,7 @@ if ($w == '')
}
else
{
check_token();
check_admin_token();
$sql = " insert into {$g5['group_member_table']}
set gr_id = '{$_POST['gr_id']}',
@ -45,7 +45,7 @@ else if ($w == 'd' || $w == 'ld')
if(!$count)
alert('삭제할 목록을 하나이상 선택해 주세요.');
check_token();
check_admin_token();
for($i=0; $i<$count; $i++) {
$gm_id = $_POST['chk'][$i];

4
adm/config_form.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'r');
$token = get_token();
if ($is_admin != 'super')
alert('최고관리자만 접근 가능합니다.');
@ -229,7 +227,7 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
?>
<form name="fconfigform" id="fconfigform" method="post" onsubmit="return fconfigform_submit(this);">
<input type="hidden" name="token" value="<?php echo $token ?>" id="token">
<input type="hidden" name="token" value="" id="token">
<section id="anc_cf_basic">
<h2 class="h2_frm">홈페이지 기본환경 설정</h2>

2
adm/config_form_update.php
View File

@ -13,7 +13,7 @@ $mb = get_member($cf_admin);
if (!$mb['mb_id'])
alert('최고관리자 회원아이디가 존재하지 않습니다.');
check_token();
check_admin_token();
// 본인확인을 사용할 경우 아이핀, 휴대폰인증 중 하나는 선택되어야 함
if($_POST['cf_cert_use'] && !$_POST['cf_cert_ipin'] && !$_POST['cf_cert_hp'])

1
adm/contentform.php
View File

@ -60,6 +60,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
<form name="frmcontentform" action="./contentformupdate.php" onsubmit="return frmcontentform_check(this);" method="post" enctype="MULTIPART/FORM-DATA" >
<input type="hidden" name="w" value="<?php echo $w; ?>">
<input type="hidden" name="co_html" value="1">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">
<table>

7
adm/contentformupdate.php
View File

@ -5,10 +5,13 @@ include_once('./_common.php');
if ($w == "u" || $w == "d")
check_demo();
if ($w == 'd')
if ($w == 'd') {
admin_referer_check();
auth_check($auth[$sub_menu], "d");
else
} else {
check_admin_token();
auth_check($auth[$sub_menu], "w");
}
@mkdir(G5_DATA_PATH."/content", G5_DIR_PERMISSION);
@chmod(G5_DATA_PATH."/content", G5_DIR_PERMISSION);

1
adm/faqform.php
View File

@ -31,6 +31,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
<input type="hidden" name="w" value="<?php echo $w; ?>">
<input type="hidden" name="fm_id" value="<?php echo $fm_id; ?>">
<input type="hidden" name="fa_id" value="<?php echo $fa_id; ?>">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">
<table>

7
adm/faqformupdate.php
View File

@ -5,10 +5,13 @@ include_once('./_common.php');
if ($w == "u" || $w == "d")
check_demo();
if ($W == 'd')
if ($W == 'd') {
admin_referer_check();
auth_check($auth[$sub_menu], "d");
else
} else {
check_admin_token();
auth_check($auth[$sub_menu], "w");
}
$sql_common = " fa_subject = '$fa_subject',
fa_content = '$fa_content',

1
adm/faqmasterform.php
View File

@ -36,6 +36,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
<form name="frmfaqmasterform" action="./faqmasterformupdate.php" onsubmit="return frmfaqmasterform_check(this);" method="post" enctype="MULTIPART/FORM-DATA">
<input type="hidden" name="w" value="<?php echo $w; ?>">
<input type="hidden" name="fm_id" value="<?php echo $fm_id; ?>">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">
<table>

7
adm/faqmasterformupdate.php
View File

@ -5,10 +5,13 @@ include_once('./_common.php');
if ($w == "u" || $w == "d")
check_demo();
if ($W == 'd')
if ($W == 'd') {
admin_referer_check();
auth_check($auth[$sub_menu], "d");
else
} else {
check_admin_token();
auth_check($auth[$sub_menu], "w");
}
@mkdir(G5_DATA_PATH."/faq", G5_DIR_PERMISSION);
@chmod(G5_DATA_PATH."/faq", G5_DIR_PERMISSION);

2
adm/mail_delete.php
View File

@ -6,7 +6,7 @@ check_demo();
auth_check($auth[$sub_menu], 'd');
check_token();
check_admin_token();
$count = count($_POST['chk']);

4
adm/mail_form.php
View File

@ -5,8 +5,6 @@ include_once(G5_EDITOR_LIB);
auth_check($auth[$sub_menu], 'r');
$token = get_token();
$html_title = '회원메일';
if ($w == 'u') {
@ -30,7 +28,7 @@ include_once('./admin.head.php');
<form name="fmailform" id="fmailform" action="./mail_update.php" onsubmit="return fmailform_check(this);" method="post">
<input type="hidden" name="w" value="<?php echo $w ?>" id="w">
<input type="hidden" name="ma_id" value="<?php echo $ma['ma_id'] ?>" id="ma_id">
<input type="hidden" name="token" value="<?php echo $token ?>" id="token">
<input type="hidden" name="token" value="" id="token">
<div class="tbl_frm01 tbl_wrap">
<table>

4
adm/mail_select_list.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'r');
$token = get_token();
$ma_last_option = "";
$sql_common = " from {$g5['member_table']} ";
@ -69,7 +67,7 @@ include_once('./admin.head.php');
?>
<form name="fmailselectlist" id="fmailselectlist" method="post" action="./mail_select_update.php">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<input type="hidden" name="ma_id" value="<?php echo $ma_id ?>">
<div class="tbl_head01 tbl_wrap">

2
adm/mail_select_update.php
View File

@ -8,7 +8,7 @@ $html_title = '회원메일 발송';
check_demo();
check_token();
check_admin_token();
include_once('./admin.head.php');
include_once(G5_LIB_PATH.'/mailer.lib.php');

2
adm/mail_update.php
View File

@ -7,7 +7,7 @@ if ($w == 'u' || $w == 'd')
auth_check($auth[$sub_menu], 'w');
check_token();
check_admin_token();
if ($w == '')
{

2
adm/member_delete.php
View File

@ -17,7 +17,7 @@ else if (is_admin($mb['mb_id']) == "super")
else if ($mb['mb_level'] >= $member['mb_level'])
alert("자신보다 권한이 높거나 같은 회원은 삭제할 수 없습니다.");
check_token();
check_admin_token();
// 회원자료 삭제
member_delete($mb['mb_id']);

4
adm/member_form.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'w');
$token = get_token();
if ($w == '')
{
$required_mb_id = 'required';
@ -144,7 +142,7 @@ add_javascript(G5_POSTCODE_JS, 0); //다음 주소 js
<input type="hidden" name="sst" value="<?php echo $sst ?>">
<input type="hidden" name="sod" value="<?php echo $sod ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">
<table>

2
adm/member_form_update.php
View File

@ -8,7 +8,7 @@ if ($w == 'u')
auth_check($auth[$sub_menu], 'w');
check_token();
check_admin_token();
$mb_id = trim($_POST['mb_id']);

1
adm/member_list.php
View File

@ -114,6 +114,7 @@ $colspan = 16;
<input type="hidden" name="sfl" value="<?php echo $sfl ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="">
<div class="tbl_head02 tbl_wrap">
<table>

2
adm/member_list_delete.php
View File

@ -6,7 +6,7 @@ check_demo();
auth_check($auth[$sub_menu], "d");
check_token();
check_admin_token();
$msg = "";
for ($i=0; $i<count($chk); $i++)

4
adm/menu_list.php
View File

@ -5,8 +5,6 @@ include_once('./_common.php');
if ($is_admin != 'super')
alert('최고관리자만 접근 가능합니다.');
$token = get_token();
// 메뉴테이블 생성
if( !isset($g5['menu_table']) ){
die('<meta charset="utf-8">dbconfig.php 파일에 <strong>$g5[\'menu_table\'] = G5_TABLE_PREFIX.\'menu\';</strong> 를 추가해 주세요.');
@ -40,7 +38,7 @@ $colspan = 7;
</div>
<form name="fmenulist" id="fmenulist" method="post" action="./menu_list_update.php" onsubmit="return fmenulist_submit(this);">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="btn_add01 btn_add">
<button type="button" onclick="return add_menu();">메뉴추가<span class="sound_only"> 새창</span></button>

2
adm/menu_list_update.php
View File

@ -7,7 +7,7 @@ check_demo();
if ($is_admin != 'super')
alert('최고관리자만 접근 가능합니다.');
check_token();
check_admin_token();
// 이전 메뉴정보 삭제
$sql = " delete from {$g5['menu_table']} ";

1
adm/newwinform.php
View File

@ -32,6 +32,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
<form name="frmnewwin" action="./newwinformupdate.php" onsubmit="return frmnewwin_check(this);" method="post">
<input type="hidden" name="w" value="<?php echo $w; ?>">
<input type="hidden" name="nw_id" value="<?php echo $nw_id; ?>">
<input type="hidden" name="token" value="">
<div class="local_desc01 local_desc">
<p>초기화면 접속 시 자동으로 뜰 팝업레이어를 설정합니다.</p>

7
adm/newwinformupdate.php
View File

@ -5,10 +5,13 @@ include_once('./_common.php');
if ($w == "u" || $w == "d")
check_demo();
if ($w == 'd')
if ($w == 'd') {
admin_referer_check();
auth_check($auth[$sub_menu], "d");
else
} else {
check_admin_token();
auth_check($auth[$sub_menu], "w");
}
$sql_common = " nw_device = '{$_POST['nw_device']}',
nw_begin_time = '{$_POST['nw_begin_time']}',

4
adm/point_list.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'r');
$token = get_token();
$sql_common = " from {$g5['point_table']} ";
$sql_search = " where (1) ";
@ -100,7 +98,7 @@ else
<input type="hidden" name="sfl" value="<?php echo $sfl ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="tbl_head01 tbl_wrap">
<table>

2
adm/point_list_delete.php
View File

@ -6,7 +6,7 @@ check_demo();
auth_check($auth[$sub_menu], 'd');
check_token();
check_admin_token();
$count = count($_POST['chk']);
if(!$count)

2
adm/point_update.php
View File

@ -4,7 +4,7 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'w');
check_token();
check_admin_token();
$mb_id = $_POST['mb_id'];
$po_point = $_POST['po_point'];

2
adm/poll_delete.php
View File

@ -6,7 +6,7 @@ check_demo();
auth_check($auth[$sub_menu], 'd');
check_token();
check_admin_token();
$count = count($_POST['chk']);

4
adm/poll_form.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'w');
$token = get_token();
$html_title = '투표';
if ($w == '')
$html_title .= ' 생성';
@ -28,7 +26,7 @@ include_once('./admin.head.php');
<input type="hidden" name="sst" value="<?php echo $sst ?>">
<input type="hidden" name="sod" value="<?php echo $sod ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="tbl_frm01 tbl_wrap">

2
adm/poll_form_update.php
View File

@ -8,7 +8,7 @@ if ($w == 'u' || $w == 'd')
auth_check($auth[$sub_menu], 'w');
check_token();
check_admin_token();
if ($w == '')
{

4
adm/poll_list.php
View File

@ -4,8 +4,6 @@ include_once('./_common.php');
auth_check($auth[$sub_menu], 'r');
$token = get_token();
$sql_common = " from {$g5['poll_table']} ";
$sql_search = " where (1) ";
@ -79,7 +77,7 @@ $colspan = 7;
<input type="hidden" name="sfl" value="<?php echo $sfl ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<input type="hidden" name="token" value="">
<div class="tbl_head01 tbl_wrap">
<table>

4
adm/qa_config.php
View File

@ -5,8 +5,6 @@ include_once(G5_EDITOR_LIB);
auth_check($auth[$sub_menu], 'r');
$token = get_token();
$g5['title'] = '1:1문의 설정';
include_once ('./admin.head.php');
@ -119,7 +117,7 @@ if(!isset($qaconfig['qa_include_head'])) {
?>
<form name="fqaconfigform" id="fqaconfigform" method="post" onsubmit="return fqaconfigform_submit(this);" autocomplete="off">
<input type="hidden" name="token" value="<?php echo $token ?>" id="token">
<input type="hidden" name="token" value="" id="token">
<section id="anc_cf_qa_config">
<h2 class="h2_frm">1:1문의 설정</h2>

2
adm/qa_config_update.php
View File

@ -6,7 +6,7 @@ check_demo();
auth_check($auth[$sub_menu], 'w');
check_token();
check_admin_token();
$sql = " update {$g5['qa_config_table']}
set qa_title = '{$_POST['qa_title']}',

2
adm/theme_update.php
View File

@ -5,6 +5,8 @@ include_once('./_common.php');
if ($is_admin != 'super')
die('최고관리자만 접근 가능합니다.');
admin_referer_check();
$theme = trim($_POST['theme']);
$theme_dir = get_theme_dir();