[KVE-2025-0384]XSS lead to RCE 취약점 수정

2025-06-04 17:44:50 +09:00
parent 87d11d5c78
commit 38451a7d3d
2 changed files with 19 additions and 10 deletions
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -4186,7 +4186,14 @@ function is_include_path_check($path='', $is_input='')
            if ( $peer_count && $peer_count > $slash_count ){
                return false;
            }
-
+            
+            $dirname_doc_root = !empty($_SERVER['DOCUMENT_ROOT']) ? dirname($_SERVER['DOCUMENT_ROOT']) : dirname(dirname(dirname(__DIR__)));
+            
+            // 웹서버 폴더만 허용
+            if ($dirname_doc_root && file_exists($path) && strpos(realpath($path), realpath($dirname_doc_root)) !== 0) {
+                return false;
+            }
+            
            try {
                // whether $path is unix or not
                $unipath = strlen($path)==0 || substr($path, 0, 1) != '/';
@ -4222,8 +4229,8 @@ function is_include_path_check($path='', $is_input='')
                //echo 'Caught exception: ',  $e->getMessage(), "\n";
                return false;
            }
-
-            if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $replace_path) ){
+            
+            if (preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $replace_path) || preg_match('/pear(cmd)?\.php/i', $replace_path)){
                return false;
            }
            if( preg_match('/'.G5_PLUGIN_DIR.'\//i', $replace_path) && (preg_match('/'.G5_OKNAME_DIR.'\//i', $replace_path) || preg_match('/'.G5_KCPCERT_DIR.'\//i', $replace_path) || preg_match('/'.G5_LGXPAY_DIR.'\//i', $replace_path)) || (preg_match('/search\.skin\.php/i', $replace_path) ) ){
--- a/plugin/sns/twitter/html.inc
+++ b/plugin/sns/twitter/html.inc
@ -22,18 +22,20 @@
        Contact @<a href='http://twitter.com/abraham'>abraham</a>
      </p>
      <hr />
-      <?php if (isset($menu)) { ?>
-        <?php echo $menu; ?>
+      <?php if (isset($menu) && is_string($menu)) { ?>
+        <?php echo htmlspecialchars($menu, ENT_QUOTES, 'UTF-8'); ?>
      <?php } ?>
    </div>
-    <?php if (isset($status_text)) { ?>
-      <?php echo '<h3>'.$status_text.'</h3>'; ?>
+    <?php if (isset($status_text) && is_string($status_text)) { ?>
+      <?php echo '<h3>'.htmlspecialchars($status_text, ENT_QUOTES, 'UTF-8').'</h3>'; ?>
    <?php } ?>
-    <p>
+    <div>
      <pre>
-        <?php print_r($content); ?>
+        <?php if (isset($content) && (is_array($content) || is_object($content))) {
+            echo htmlspecialchars(json_encode($content, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), ENT_QUOTES, 'UTF-8');
+        } ?>
      </pre>
-    </p>
+    </div>

  </body>
 </html>