From 3cf0546711fc91758765fd04225898d3f351850d Mon Sep 17 00:00:00 2001 From: thisgun Date: Thu, 13 Feb 2020 15:23:11 +0900 Subject: [PATCH 1/7] =?UTF-8?q?[KVE-2020-0100,0101]=EA=B7=B8=EB=88=84?= =?UTF-8?q?=EB=B3=B4=EB=93=9C=20=EA=B4=80=EB=A6=AC=EC=9E=90=ED=8E=98?= =?UTF-8?q?=EC=9D=B4=EC=A7=80=20XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/sms_admin/form_write.php | 2 ++ adm/sms_admin/sms_write_form.php | 2 ++ 2 files changed, 4 insertions(+) diff --git a/adm/sms_admin/form_write.php b/adm/sms_admin/form_write.php index 6191bd59d..b8e4913f7 100644 --- a/adm/sms_admin/form_write.php +++ b/adm/sms_admin/form_write.php @@ -6,6 +6,8 @@ auth_check($auth[$sub_menu], "w"); $g5['title'] = "이모티콘 "; +$fg_no = isset($fg_no) ? (int) $fg_no : ''; + if ($w == 'u' && is_numeric($fo_no)) { $write = sql_fetch("select * from {$g5['sms5_form_table']} where fo_no='$fo_no'"); $g5['title'] .= '수정'; diff --git a/adm/sms_admin/sms_write_form.php b/adm/sms_admin/sms_write_form.php index fdbf64c91..103535b5e 100644 --- a/adm/sms_admin/sms_write_form.php +++ b/adm/sms_admin/sms_write_form.php @@ -7,6 +7,8 @@ while ($res = sql_fetch_array($qry)) array_push($group, $res); $res = sql_fetch("select count(*) as cnt from `{$g5['sms5_form_table']}` where fg_no=0"); $no_count = $res['cnt']; + +$fg_no = isset($fg_no) ? (int) $fg_no : ''; ?>
From 3c0cde3fe2521fdcef2316c56402424c3775b886 Mon Sep 17 00:00:00 2001 From: thisgun Date: Thu, 13 Feb 2020 16:24:27 +0900 Subject: [PATCH 2/7] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20XSS?= =?UTF-8?q?=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_form_update.php | 4 ++-- adm/board_list_update.php | 2 +- adm/contentformupdate.php | 2 +- adm/newwinformupdate.php | 2 +- adm/point_update.php | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/adm/board_form_update.php b/adm/board_form_update.php index c668136a5..8ddb1840c 100644 --- a/adm/board_form_update.php +++ b/adm/board_form_update.php @@ -80,8 +80,8 @@ $bo_category_list = isset($_POST['bo_category_list']) ? str_replace($src_char, $ //https://github.com/gnuboard/gnuboard5/commit/f5f4925d4eb28ba1af728e1065fc2bdd9ce1da58 에 따른 조치 $str_bo_category_list = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\/\^\*]/", "", $bo_category_list); -$_POST['bo_subject'] = strip_tags($_POST['bo_subject']); -$_POST['bo_mobile_subject'] = strip_tags($_POST['bo_mobile_subject']); +$_POST['bo_subject'] = strip_tags(clean_xss_attributes($_POST['bo_subject'])); +$_POST['bo_mobile_subject'] = strip_tags(clean_xss_attributes($_POST['bo_mobile_subject'])); $sql_common = " gr_id = '{$gr_id}', bo_subject = '{$_POST['bo_subject']}', diff --git a/adm/board_list_update.php b/adm/board_list_update.php index 8a5ba44ec..552f60d99 100644 --- a/adm/board_list_update.php +++ b/adm/board_list_update.php @@ -33,7 +33,7 @@ if ($_POST['act_button'] == "선택수정") { alert('최고관리자가 아닌 경우 다른 관리자의 게시판('.$board_table[$k].')은 수정이 불가합니다.'); } - $p_bo_subject = is_array($_POST['bo_subject']) ? strip_tags($_POST['bo_subject'][$k]) : ''; + $p_bo_subject = is_array($_POST['bo_subject']) ? strip_tags(clean_xss_attributes($_POST['bo_subject'][$k])) : ''; $sql = " update {$g5['board_table']} set gr_id = '".sql_real_escape_string(strip_tags($_POST['gr_id'][$k]))."', diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php index 41170884b..58437acda 100644 --- a/adm/contentformupdate.php +++ b/adm/contentformupdate.php @@ -21,7 +21,7 @@ if ($w == "" || $w == "u") } $co_id = preg_replace('/[^a-z0-9_]/i', '', $co_id); -$co_subject = strip_tags($co_subject); +$co_subject = strip_tags(clean_xss_attributes($co_subject)); $co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255)); $co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255)); $co_tag_filter_use = isset($_POST['co_tag_filter_use']) ? (int) $_POST['co_tag_filter_use'] : 1; diff --git a/adm/newwinformupdate.php b/adm/newwinformupdate.php index 1441ac820..f03701166 100644 --- a/adm/newwinformupdate.php +++ b/adm/newwinformupdate.php @@ -12,7 +12,7 @@ else check_admin_token(); -$nw_subject = isset($_POST['nw_subject']) ? strip_tags($_POST['nw_subject']) : ''; +$nw_subject = isset($_POST['nw_subject']) ? strip_tags(clean_xss_attributes($_POST['nw_subject'])) : ''; $sql_common = " nw_device = '{$_POST['nw_device']}', nw_begin_time = '{$_POST['nw_begin_time']}', diff --git a/adm/point_update.php b/adm/point_update.php index 571a1dfa6..ac1a70411 100644 --- a/adm/point_update.php +++ b/adm/point_update.php @@ -6,9 +6,9 @@ auth_check($auth[$sub_menu], 'w'); check_admin_token(); -$mb_id = strip_tags($_POST['mb_id']); -$po_point = strip_tags($_POST['po_point']); -$po_content = strip_tags($_POST['po_content']); +$mb_id = strip_tags(clean_xss_attributes($_POST['mb_id'])); +$po_point = strip_tags(clean_xss_attributes($_POST['po_point'])); +$po_content = strip_tags(clean_xss_attributes($_POST['po_content'])); $expire = preg_replace('/[^0-9]/', '', $_POST['po_expire_term']); $mb = get_member($mb_id); From ebac40312fbe3dcd45ca9af877c9e3ad033d66af Mon Sep 17 00:00:00 2001 From: thisgun Date: Thu, 13 Feb 2020 19:03:38 +0900 Subject: [PATCH 3/7] =?UTF-8?q?5.4=20=EB=B2=84=EC=A0=84=20=EC=AA=BD?= =?UTF-8?q?=EC=A7=80=EB=B3=B4=EA=B8=B0=20=ED=8E=98=EC=9D=B4=EC=A7=80?= =?UTF-8?q?=EC=97=90=EC=84=9C=20=EC=AA=BD=EC=A7=80=20=EC=82=AD=EC=A0=9C?= =?UTF-8?q?=EA=B0=80=20=EC=95=88=EB=90=98=EB=8A=94=20=EC=98=A4=EB=A5=98=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/memo_view.php | 9 ++++++--- mobile/skin/member/basic/memo_view.skin.php | 2 +- skin/member/basic/memo_view.skin.php | 2 +- theme/basic/mobile/skin/member/basic/memo_view.skin.php | 2 +- theme/basic/skin/member/basic/memo_view.skin.php | 2 +- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/bbs/memo_view.php b/bbs/memo_view.php index 144e98f43..be6bebc4f 100644 --- a/bbs/memo_view.php +++ b/bbs/memo_view.php @@ -31,14 +31,17 @@ else alert($kind.' 값을 넘겨주세요.'); } -$g5['title'] = $t.' 쪽지 보기'; -include_once(G5_PATH.'/head.sub.php'); - $sql = " select * from {$g5['memo_table']} where me_id = '$me_id' and me_{$kind}_mb_id = '{$member['mb_id']}' "; $memo = sql_fetch($sql); +set_session('ss_memo_delete_token', $token = uniqid(time())); +$del_link = 'memo_delete.php?me_id='.$memo['me_id'].'&token='.$token.'&kind='.$kind; + +$g5['title'] = $t.' 쪽지 보기'; +include_once(G5_PATH.'/head.sub.php'); + // 이전 쪽지 $sql = " select me.*, a.rownum from `{$g5['memo_table']}` as me inner join ( select me_id , (@rownum:=@rownum+1) as rownum from `{$g5['memo_table']}` as memo, (select @rownum:=0) tmp where me_{$kind}_mb_id = '{$member['mb_id']}' and memo.me_type = '$kind' order by me_id desc ) as a on a.me_id = me.me_id where me.me_id < '$me_id' and me.me_{$kind}_mb_id = '{$member['mb_id']}' and me.me_type = '$kind' order by me.me_id desc limit 1 "; diff --git a/mobile/skin/member/basic/memo_view.skin.php b/mobile/skin/member/basic/memo_view.skin.php index e555125a9..17fee28de 100644 --- a/mobile/skin/member/basic/memo_view.skin.php +++ b/mobile/skin/member/basic/memo_view.skin.php @@ -39,7 +39,7 @@ add_stylesheet('',
  • 시간
  • 목록
    • -
  • 삭제
    • +
  • 삭제
    • diff --git a/skin/member/basic/memo_view.skin.php b/skin/member/basic/memo_view.skin.php index e555125a9..17fee28de 100644 --- a/skin/member/basic/memo_view.skin.php +++ b/skin/member/basic/memo_view.skin.php @@ -39,7 +39,7 @@ add_stylesheet('',
  • 시간
  • 목록
    • -
  • 삭제
    • +
  • 삭제
    • diff --git a/theme/basic/mobile/skin/member/basic/memo_view.skin.php b/theme/basic/mobile/skin/member/basic/memo_view.skin.php index e555125a9..17fee28de 100644 --- a/theme/basic/mobile/skin/member/basic/memo_view.skin.php +++ b/theme/basic/mobile/skin/member/basic/memo_view.skin.php @@ -39,7 +39,7 @@ add_stylesheet('',
  • 시간
  • 목록
    • -
  • 삭제
    • +
  • 삭제
    • diff --git a/theme/basic/skin/member/basic/memo_view.skin.php b/theme/basic/skin/member/basic/memo_view.skin.php index e555125a9..17fee28de 100644 --- a/theme/basic/skin/member/basic/memo_view.skin.php +++ b/theme/basic/skin/member/basic/memo_view.skin.php @@ -39,7 +39,7 @@ add_stylesheet('',
  • 시간
  • 목록
    • -
  • 삭제
    • +
  • 삭제
    • From 6ccb8905a0f7a5886f4819820aff1853276e7995 Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 14 Feb 2020 11:44:04 +0900 Subject: [PATCH 4/7] =?UTF-8?q?=ED=81=AC=EB=A1=AC=2080=EB=B2=84=EC=A0=84?= =?UTF-8?q?=20=EB=8C=80=EC=9D=91=20=EC=BD=94=EB=93=9C=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common.php | 11 +++++++---- lib/common.lib.php | 4 +++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/common.php b/common.php index f7f42bd2a..ba97a952c 100644 --- a/common.php +++ b/common.php @@ -230,12 +230,14 @@ if( $config['cf_cert_use'] || (defined('G5_YOUNGCART_VER') && G5_YOUNGCART_VER) if(!function_exists('session_start_samesite')) { function session_start_samesite($options = array()) { + global $g5; + $res = @session_start($options); - // IE 브라우저 또는 엣지브라우저 일때는 secure; SameSite=None 을 설정하지 않습니다. - if( preg_match('/Edge/i', $_SERVER['HTTP_USER_AGENT']) || preg_match('~MSIE|Internet Explorer~i', $_SERVER['HTTP_USER_AGENT']) || preg_match('~Trident/7.0(; Touch)?; rv:11.0~',$_SERVER['HTTP_USER_AGENT']) ){ - return $res; - } + // IE 브라우저 또는 엣지브라우저 일때는 secure; SameSite=None, http 환경에서는 설정하지 않습니다. + if( preg_match('/Edge/i', $_SERVER['HTTP_USER_AGENT']) || preg_match('~MSIE|Internet Explorer~i', $_SERVER['HTTP_USER_AGENT']) || preg_match('~Trident/7.0(; Touch)?; rv:11.0~',$_SERVER['HTTP_USER_AGENT']) || ! (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') ){ + return $res; + } $headers = headers_list(); krsort($headers); @@ -243,6 +245,7 @@ if( $config['cf_cert_use'] || (defined('G5_YOUNGCART_VER') && G5_YOUNGCART_VER) if (!preg_match('~^Set-Cookie: PHPSESSID=~', $header)) continue; $header = preg_replace('~; secure(; HttpOnly)?$~', '', $header) . '; secure; SameSite=None'; header($header, false); + $g5['session_cookie_samesite'] = 'none'; break; } return $res; diff --git a/lib/common.lib.php b/lib/common.lib.php index b7a373ab0..432514a24 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -116,11 +116,13 @@ function goto_url($url) // 세션변수 생성 function set_session($session_name, $value) { + global $g5; + static $check_cookie = null; if( $check_cookie === null ){ $cookie_session_name = session_name(); - if( ! ($cookie_session_name && isset($_COOKIE[$cookie_session_name]) && $_COOKIE[$cookie_session_name]) && ! headers_sent() ){ + if( ! isset($g5['session_cookie_samesite']) && ! ($cookie_session_name && isset($_COOKIE[$cookie_session_name]) && $_COOKIE[$cookie_session_name]) && ! headers_sent() ){ @session_regenerate_id(false); } From 1e7d17fd68dc01ca9885b5b65f7ad2445f4b0f95 Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 14 Feb 2020 14:35:33 +0900 Subject: [PATCH 5/7] =?UTF-8?q?5.4=20=EB=B2=84=EC=A0=84=20=EC=86=8C?= =?UTF-8?q?=EC=85=9C=EB=A1=9C=EA=B7=B8=EC=9D=B8=20=EC=8A=A4=ED=82=A8=205.3?= =?UTF-8?q?=EB=B2=84=EC=A0=84=EC=97=90=EC=84=9C=EB=8F=84=20=EC=9E=98=20?= =?UTF-8?q?=EB=82=98=EC=98=AC=EC=88=98=20=EC=9E=88=EB=8F=84=EB=A1=9D=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- skin/outlogin/basic/style.css | 1 + skin/social/style.css | 2 +- theme/basic/skin/outlogin/basic/style.css | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/skin/outlogin/basic/style.css b/skin/outlogin/basic/style.css index fed39d8da..f233abd23 100644 --- a/skin/outlogin/basic/style.css +++ b/skin/outlogin/basic/style.css @@ -8,6 +8,7 @@ .ol form {padding:20px} .ol a.btn_admin {display:inline-block;padding:0 10px;height:25px;text-decoration:none;line-height:25px;vertical-align:middle} /* 관리자 전용 버튼 */ .ol a.btn_admin:focus, .ol a.btn_admin:hover {text-decoration:none} +.ol .login-sns{padding-bottom:0px} #ol_before {} #ol_before:after {display:block;visibility:hidden;clear:both;content:""} diff --git a/skin/social/style.css b/skin/social/style.css index 155b5b532..d984ac9b9 100644 --- a/skin/social/style.css +++ b/skin/social/style.css @@ -7,7 +7,7 @@ .bg-warning3 {background:#fff8dc;border:1px solid #f1e4b2} /* SNS LOGIN */ -.login-sns {margin-top:5px;border:1px solid #dde7e9;border-bottom:1px solid #dde7e9;clear:both;background:#fff} +.login-sns {padding-bottom:10px;margin-top:5px;border:1px solid #dde7e9;border-bottom:1px solid #dde7e9;clear:both;background:#fff} .login-sns h3 {padding-top:10px;text-align:center;color:#777;font-weight:normal} .sns-wrap {margin:10px 0 0;text-align:center} .sns-icon {display:inline-block;vertical-align:middle;text-decoration:none} diff --git a/theme/basic/skin/outlogin/basic/style.css b/theme/basic/skin/outlogin/basic/style.css index fed39d8da..f233abd23 100644 --- a/theme/basic/skin/outlogin/basic/style.css +++ b/theme/basic/skin/outlogin/basic/style.css @@ -8,6 +8,7 @@ .ol form {padding:20px} .ol a.btn_admin {display:inline-block;padding:0 10px;height:25px;text-decoration:none;line-height:25px;vertical-align:middle} /* 관리자 전용 버튼 */ .ol a.btn_admin:focus, .ol a.btn_admin:hover {text-decoration:none} +.ol .login-sns{padding-bottom:0px} #ol_before {} #ol_before:after {display:block;visibility:hidden;clear:both;content:""} From 85e075a5c662acb3606515eafca462adfaa458fe Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 18 Feb 2020 12:28:32 +0900 Subject: [PATCH 6/7] =?UTF-8?q?[KVE-2020-0062]=EA=B7=B8=EB=88=84=EB=B3=B4?= =?UTF-8?q?=EB=93=9C,=EC=98=81=EC=B9=B4=ED=8A=B8=20SQL=20=EC=9D=B8?= =?UTF-8?q?=EC=A0=9D=EC=85=98=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/sms_admin/num_book.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/adm/sms_admin/num_book.php b/adm/sms_admin/num_book.php index 567e05f00..f4338c307 100644 --- a/adm/sms_admin/num_book.php +++ b/adm/sms_admin/num_book.php @@ -16,6 +16,8 @@ if ($page < 1) $page = 1; $bg_no = isset($bg_no) ? (int) $bg_no : 0; $st = isset($st) ? preg_replace('/[^a-z0-9]/i', '', $st) : ''; +$sql_korean = $sql_group = $sql_search = $sql_no_hp = ''; + if (is_numeric($bg_no)) $sql_group = " and bg_no='$bg_no' "; else @@ -127,9 +129,9 @@ function no_hp_click(val) onclick="no_hp_click(this.checked)"> From fa9aa8da19f459e8b2d5ef34f1179ef23ae3053c Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 18 Feb 2020 15:06:37 +0900 Subject: [PATCH 7/7] =?UTF-8?q?=EB=B2=84=EC=A0=84=205.4.2=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.php b/config.php index bd813f657..389614add 100644 --- a/config.php +++ b/config.php @@ -5,7 +5,7 @@ ********************/ define('G5_VERSION', '그누보드5'); -define('G5_GNUBOARD_VER', '5.4.1.9'); +define('G5_GNUBOARD_VER', '5.4.2'); // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 define('_GNUBOARD_', true);