From 38451a7d3dc9f9ec580c574f7a79deb0fa981fe0 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 4 Jun 2025 17:44:50 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2025-0384]XSS=20lead=20to=20RCE=20?=
 =?UTF-8?q?=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php          | 13 ++++++++++---
 plugin/sns/twitter/html.inc | 16 +++++++++-------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index 0ef8037c6..c9a2d9068 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -4186,7 +4186,14 @@ function is_include_path_check($path='', $is_input='')
             if ( $peer_count && $peer_count > $slash_count ){
                 return false;
             }
-
+            
+            $dirname_doc_root = !empty($_SERVER['DOCUMENT_ROOT']) ? dirname($_SERVER['DOCUMENT_ROOT']) : dirname(dirname(dirname(__DIR__)));
+            
+            // 웹서버 폴더만 허용
+            if ($dirname_doc_root && file_exists($path) && strpos(realpath($path), realpath($dirname_doc_root)) !== 0) {
+                return false;
+            }
+            
             try {
                 // whether $path is unix or not
                 $unipath = strlen($path)==0 || substr($path, 0, 1) != '/';
@@ -4222,8 +4229,8 @@ function is_include_path_check($path='', $is_input='')
                 //echo 'Caught exception: ',  $e->getMessage(), "\n";
                 return false;
             }
-
-            if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $replace_path) ){
+            
+            if (preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $replace_path) || preg_match('/pear(cmd)?\.php/i', $replace_path)){
                 return false;
             }
             if( preg_match('/'.G5_PLUGIN_DIR.'\//i', $replace_path) && (preg_match('/'.G5_OKNAME_DIR.'\//i', $replace_path) || preg_match('/'.G5_KCPCERT_DIR.'\//i', $replace_path) || preg_match('/'.G5_LGXPAY_DIR.'\//i', $replace_path)) || (preg_match('/search\.skin\.php/i', $replace_path) ) ){
diff --git a/plugin/sns/twitter/html.inc b/plugin/sns/twitter/html.inc
index e093e35e7..0197746a3 100644
--- a/plugin/sns/twitter/html.inc
+++ b/plugin/sns/twitter/html.inc
@@ -22,18 +22,20 @@
         Contact @<a href='http://twitter.com/abraham'>abraham</a>
       </p>
       <hr />
-      <?php if (isset($menu)) { ?>
-        <?php echo $menu; ?>
+      <?php if (isset($menu) && is_string($menu)) { ?>
+        <?php echo htmlspecialchars($menu, ENT_QUOTES, 'UTF-8'); ?>
       <?php } ?>
     </div>
-    <?php if (isset($status_text)) { ?>
-      <?php echo '<h3>'.$status_text.'</h3>'; ?>
+    <?php if (isset($status_text) && is_string($status_text)) { ?>
+      <?php echo '<h3>'.htmlspecialchars($status_text, ENT_QUOTES, 'UTF-8').'</h3>'; ?>
     <?php } ?>
-    <p>
+    <div>
       <pre>
-        <?php print_r($content); ?>
+        <?php if (isset($content) && (is_array($content) || is_object($content))) {
+            echo htmlspecialchars(json_encode($content, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), ENT_QUOTES, 'UTF-8');
+        } ?>
       </pre>
-    </p>
+    </div>
 
   </body>
 </html>