From a45241f4bc46aee1ab2cc0749f6444b043681edf Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 30 Oct 2018 09:42:48 +0900
Subject: [PATCH 1/2] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/board_form_update.php  |  3 +++
 adm/boardgroup_form.php    |  2 +-
 adm/config_form.php        |  2 +-
 adm/config_form_update.php |  2 ++
 adm/menu_list.php          | 14 ++++++++++++++
 adm/menu_list_update.php   |  4 ++--
 bbs/board_head.php         |  4 ++--
 bbs/board_tail.php         |  4 ++--
 bbs/password.php           |  8 ++++----
 9 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/adm/board_form_update.php b/adm/board_form_update.php
index 912887760..2222baadb 100644
--- a/adm/board_form_update.php
+++ b/adm/board_form_update.php
@@ -72,6 +72,9 @@ $bo_category_list = str_replace($src_char, $dst_char, $bo_category_list);
 //https://github.com/gnuboard/gnuboard5/commit/f5f4925d4eb28ba1af728e1065fc2bdd9ce1da58 에 따른 조치
 $str_bo_category_list = isset($_POST['bo_category_list']) ? preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\/\^\*]/", "", $_POST['bo_category_list']) : '';
 
+$_POST['bo_subject'] = strip_tags($_POST['bo_subject']);
+$_POST['bo_mobile_subject'] = strip_tags($_POST['bo_mobile_subject']);
+
 $sql_common = " gr_id               = '{$_POST['gr_id']}',
                 bo_subject          = '{$_POST['bo_subject']}',
                 bo_mobile_subject   = '{$_POST['bo_mobile_subject']}',
diff --git a/adm/boardgroup_form.php b/adm/boardgroup_form.php
index 73e162d98..c9e8338bd 100644
--- a/adm/boardgroup_form.php
+++ b/adm/boardgroup_form.php
@@ -117,7 +117,7 @@ include_once('./admin.head.php');
             <label for="gr_<?php echo $i ?>_subj">여분필드 <?php echo $i ?> 제목</label>
             <input type="text" name="gr_<?php echo $i ?>_subj" value="<?php echo get_text($group['gr_'.$i.'_subj']) ?>" id="gr_<?php echo $i ?>_subj" class="frm_input">
             <label for="gr_<?php echo $i ?>">여분필드 <?php echo $i ?> 내용</label>
-            <input type="text" name="gr_<?php echo $i ?>" value="<?php echo $gr['gr_'.$i] ?>" id="gr_<?php echo $i ?>" class="frm_input">
+            <input type="text" name="gr_<?php echo $i ?>" value="<?php echo get_sanitize_input($gr['gr_'.$i]); ?>" id="gr_<?php echo $i ?>" class="frm_input">
         </td>
     </tr>
     <?php } ?>
diff --git a/adm/config_form.php b/adm/config_form.php
index 00915fe7d..e4daee961 100644
--- a/adm/config_form.php
+++ b/adm/config_form.php
@@ -1317,7 +1317,7 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
                 <label for="cf_<?php echo $i ?>_subj">여분필드<?php echo $i ?> 제목</label>
                 <input type="text" name="cf_<?php echo $i ?>_subj" value="<?php echo get_text($config['cf_'.$i.'_subj']) ?>" id="cf_<?php echo $i ?>_subj" class="frm_input" size="30">
                 <label for="cf_<?php echo $i ?>">여분필드<?php echo $i ?> 값</label>
-                <input type="text" name="cf_<?php echo $i ?>" value="<?php echo $config['cf_'.$i] ?>" id="cf_<?php echo $i ?>" class="frm_input" size="30">
+                <input type="text" name="cf_<?php echo $i ?>" value="<?php echo get_sanitize_input($config['cf_'.$i]); ?>" id="cf_<?php echo $i ?>" class="frm_input" size="30">
             </td>
         </tr>
         <?php } ?>
diff --git a/adm/config_form_update.php b/adm/config_form_update.php
index 03179c345..126786382 100644
--- a/adm/config_form_update.php
+++ b/adm/config_form_update.php
@@ -26,6 +26,8 @@ if(!$_POST['cf_cert_use']) {
 
 $cf_social_servicelist = !empty($_POST['cf_social_servicelist']) ? implode(',', $_POST['cf_social_servicelist']) : '';
 
+$_POST['cf_title'] = strip_tags($_POST['cf_title']);
+
 $sql = " update {$g5['config_table']}
             set cf_title = '{$_POST['cf_title']}',
                 cf_admin = '{$_POST['cf_admin']}',
diff --git a/adm/menu_list.php b/adm/menu_list.php
index ffe88aee7..4a6c25127 100644
--- a/adm/menu_list.php
+++ b/adm/menu_list.php
@@ -196,6 +196,20 @@ function base_convert(number, frombase, tobase) {
 
 function fmenulist_submit(f)
 {
+
+    var me_links = document.getElementsByName('me_link[]');
+    var reg = /^javascript/; 
+
+	for (i=0; i<me_links.length; i++){
+        
+	    if( reg.test(me_links[i].value) ){ 
+        
+            alert('링크에 자바스크립트문을 입력할수 없습니다.');
+            me_links[i].focus();
+            return false;
+        }
+    }
+
     return true;
 }
 </script>
diff --git a/adm/menu_list_update.php b/adm/menu_list_update.php
index f05e2ec22..4244d3343 100644
--- a/adm/menu_list_update.php
+++ b/adm/menu_list_update.php
@@ -23,8 +23,8 @@ for ($i=0; $i<$count; $i++)
 
     $code    = $_POST['code'][$i];
     $me_name = $_POST['me_name'][$i];
-    $me_link = $_POST['me_link'][$i];
-
+    $me_link = preg_match('/^javascript/', $_POST['me_link'][$i]) ? G5_URL : strip_tags($_POST['me_link'][$i]);
+    
     if(!$code || !$me_name || !$me_link)
         continue;
 
diff --git a/bbs/board_head.php b/bbs/board_head.php
index 04b60450f..a62706a28 100644
--- a/bbs/board_head.php
+++ b/bbs/board_head.php
@@ -5,13 +5,13 @@ if (!defined('_GNUBOARD_')) exit; // 개별 페이지 접근 불가
 if (G5_IS_MOBILE) {
     // 모바일의 경우 설정을 따르지 않는다.
     include_once(G5_BBS_PATH.'/_head.php');
-    echo stripslashes($board['bo_mobile_content_head']);
+    echo html_purifier(stripslashes($board['bo_mobile_content_head']));
 } else {
     if(is_include_path_check($board['bo_include_head'])) {  //파일경로 체크
         @include ($board['bo_include_head']);
     } else {    //파일경로가 올바르지 않으면 기본파일을 가져옴
         include_once(G5_BBS_PATH.'/_head.php');
     }
-    echo stripslashes($board['bo_content_head']);
+    echo html_purifier(stripslashes($board['bo_content_head']));
 }
 ?>
\ No newline at end of file
diff --git a/bbs/board_tail.php b/bbs/board_tail.php
index 57b81b46e..436e2cc3b 100644
--- a/bbs/board_tail.php
+++ b/bbs/board_tail.php
@@ -3,11 +3,11 @@ if (!defined('_GNUBOARD_')) exit; // 개별 페이지 접근 불가
 
 // 게시판 관리의 하단 파일 경로
 if (G5_IS_MOBILE) {
-    echo stripslashes($board['bo_mobile_content_tail']);
+    echo html_purifier(stripslashes($board['bo_mobile_content_tail']));
     // 모바일의 경우 설정을 따르지 않는다.
     include_once(G5_BBS_PATH.'/_tail.php');
 } else {
-    echo stripslashes($board['bo_content_tail']);
+    echo html_purifier(stripslashes($board['bo_content_tail']));
     if(is_include_path_check($board['bo_include_tail'])) {  //파일경로 체크
         @include ($board['bo_include_tail']);
     } else {    //파일경로가 올바르지 않으면 기본파일을 가져옴
diff --git a/bbs/password.php b/bbs/password.php
index e5e0a4d4e..646f3b645 100644
--- a/bbs/password.php
+++ b/bbs/password.php
@@ -43,8 +43,8 @@ switch ($w) {
 
 include_once(G5_PATH.'/head.sub.php');
 
-//if ($board['bo_include_head']) { @include ($board['bo_include_head']); }
-//if ($board['bo_content_head']) { echo stripslashes($board['bo_content_head']); }
+//if ($board['bo_include_head'] && is_include_path_check($board['bo_content_head'])) { @include ($board['bo_include_head']); }
+//if ($board['bo_content_head']) { echo html_purifier(stripslashes($board['bo_content_head'])); }
 
 /* 비밀글의 제목을 가져옴 지운아빠 2013-01-29 */
 $sql = " select wr_subject from {$write_table}
@@ -57,8 +57,8 @@ $g5['title'] = get_text($row['wr_subject']);
 
 include_once($member_skin_path.'/password.skin.php');
 
-//if ($board['bo_content_tail']) { echo stripslashes($board['bo_content_tail']); }
-//if ($board['bo_include_tail']) { @include ($board['bo_include_tail']); }
+//if ($board['bo_content_tail']) { echo html_purifier(stripslashes($board['bo_content_tail'])); }
+//if ($board['bo_include_tail'] && is_include_path_check($board['bo_content_tail'])) { @include ($board['bo_include_tail']); }
 
 include_once(G5_PATH.'/tail.sub.php');
 ?>

From 26f6edfd0b7f1bf1464d08c1da82f6eba0c45b10 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 30 Oct 2018 16:02:50 +0900
Subject: [PATCH 2/2] =?UTF-8?q?=EC=86=8C=EC=85=9C=20=EB=A1=9C=EA=B7=B8?=
 =?UTF-8?q?=EC=9D=B8=ED=95=9C=20=EA=B3=84=EC=A0=95=EC=9D=80=20=ED=9A=8C?=
 =?UTF-8?q?=EC=9B=90=20=ED=83=88=ED=87=B4=EB=A5=BC=20=EB=AA=BB=ED=95=98?=
 =?UTF-8?q?=EB=8A=94=20=EC=98=A4=EB=A5=98=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/member_confirm.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
index 685dec86c..722a78302 100644
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@@ -11,16 +11,16 @@ else
     $urlencode = urlencode($_SERVER[REQUEST_URI]);
 */
 
+$url = clean_xss_tags($_GET['url']);
+
 //소셜 로그인 한 경우
-if( function_exists('social_member_comfirm_redirect') ){    
+if( function_exists('social_member_comfirm_redirect') && (! $url || $url === 'register_form.php') ){    
     social_member_comfirm_redirect();
 }
 
 $g5['title'] = '회원 비밀번호 확인';
 include_once('./_head.sub.php');
 
-$url = clean_xss_tags($_GET['url']);
-
 // url 체크
 check_url_host($url, '', G5_URL, true);