[KVE-2022-0133] 그누보드 XSS, CSRF 취약점 수정

2022-06-16 16:06:33 +09:00
parent 32e9797fef
commit 4883fb18ae
3 changed files with 59 additions and 5 deletions
--- a/adm/mail_select_list.php
+++ b/adm/mail_select_list.php
@ -4,18 +4,20 @@ require_once './_common.php';

 auth_check_menu($auth, $sub_menu, 'r');

+$ma_id = isset($_REQUEST['ma_id']) ? (int) $_REQUEST['ma_id'] : 0;
+
 $ma_last_option = "";

 $sql_common = " from {$g5['member_table']} ";
 $sql_where = " where (1) ";

-$mb_id1         = isset($_POST['mb_id1'])       ? $_POST['mb_id1'] : 1;
+$mb_id1         = isset($_POST['mb_id1'])       ? (int) $_POST['mb_id1'] : 1;
 $mb_id1_from    = isset($_POST['mb_id1_from'])  ? clean_xss_tags($_POST['mb_id1_from'], 1, 1, 30) : '';
 $mb_id1_to      = isset($_POST['mb_id1_to'])    ? clean_xss_tags($_POST['mb_id1_to'], 1, 1, 30) : '';
 $mb_email       = isset($_POST['mb_email'])     ? clean_xss_tags($_POST['mb_email'], 1, 1, 100) : '';
 $mb_mailling    = isset($_POST['mb_mailling'])  ? clean_xss_tags($_POST['mb_mailling'], 1, 1, 100) : '';
-$mb_level_from  = isset($_POST['mb_level_from'])? $_POST['mb_level_from'] : 1;
-$mb_level_to    = isset($_POST['mb_level_to'])  ? $_POST['mb_level_to'] : 10;
+$mb_level_from  = isset($_POST['mb_level_from'])? (int) $_POST['mb_level_from'] : 1;
+$mb_level_to    = isset($_POST['mb_level_to'])  ? (int) $_POST['mb_level_to'] : 10;

 // 회원ID ..에서 ..까지
 if ($mb_id1 != 1) {
@ -81,7 +83,7 @@ require_once './admin.head.php';

 <form name="fmailselectlist" id="fmailselectlist" method="post" action="./mail_select_update.php">
    <input type="hidden" name="token" value="">
-    <input type="hidden" name="ma_id" value="<?php echo $ma_id ?>">
+    <input type="hidden" name="ma_id" value="<?php echo get_text($ma_id); ?>">

    <div class="tbl_head01 tbl_wrap">
        <table>
--- a/adm/member_form.php
+++ b/adm/member_form.php
@ -240,7 +240,19 @@ add_javascript(G5_POSTCODE_JS, 0);    //다음 주소 js
                        <?php if ($w == 'u') { ?><a href="./boardgroupmember_form.php?mb_id=<?php echo $mb['mb_id'] ?>" class="btn_frmline">접근가능그룹보기</a><?php } ?>
                    </td>
                    <th scope="row"><label for="mb_password">비밀번호<?php echo $sound_only ?></label></th>
-                    <td><input type="password" name="mb_password" id="mb_password" <?php echo $required_mb_password ?> class="frm_input <?php echo $required_mb_password ?>" size="15" maxlength="20"></td>
+                    <td>
+                        <div>
+                        <input type="password" name="mb_password" id="mb_password" <?php echo $required_mb_password ?> class="frm_input <?php echo $required_mb_password ?>" size="15" maxlength="20">
+                        </div>
+                        <div id="mb_password_captcha_wrap" style="display:none">
+                            <?php
+                            require_once G5_CAPTCHA_PATH . '/captcha.lib.php';
+                            $captcha_html = captcha_html();
+                            $captcha_js   = chk_captcha_js();
+                            echo $captcha_html;
+                            ?>
+                        </div>
+                    </td>
                </tr>
                <tr>
                    <th scope="row"><label for="mb_name">이름(실명)<strong class="sound_only">필수</strong></label></th>
@ -582,8 +594,35 @@ add_javascript(G5_POSTCODE_JS, 0);    //다음 주소 js
            return false;
        }

+        if( jQuery("#mb_password").val() ){
+            <?php echo $captcha_js; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함 ?>
+        }
+
        return true;
    }
+
+    jQuery(function($){
+        $("#captcha_key").prop('required', false).removeAttr("required").removeClass("required");
+
+        $("#mb_password").on("keyup", function(e) {
+            var $warp = $("#mb_password_captcha_wrap"),
+                tooptipid = "mp_captcha_tooltip",
+                $span_text = $("<span>", {id:tooptipid, style:"font-size:0.95em;letter-spacing:-0.1em"}).html("비밀번호를 수정할 경우 캡챠를 입력해야 합니다."),
+                $parent = $(this).parent(),
+                is_invisible_recaptcha = $("#captcha").hasClass("invisible_recaptcha");
+
+            if($(this).val()){
+                $warp.show();
+                if(! is_invisible_recaptcha) {
+                    $warp.css("margin-top","1em");
+                    if(! $("#"+tooptipid).length){ $parent.append($span_text) }
+                }
+            } else {
+                $warp.hide();
+                if($("#"+tooptipid).length && ! is_invisible_recaptcha){ $parent.find("#"+tooptipid).remove(); }
+            }
+        });
+    });
 </script>
 <?php
 run_event('admin_member_form_after', $mb, $w);
--- a/adm/member_form_update.php
+++ b/adm/member_form_update.php
@ -18,6 +18,15 @@ $mb_certify_case = isset($_POST['mb_certify_case']) ? preg_replace('/[^0-9a-z_]/
 $mb_certify     = isset($_POST['mb_certify']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['mb_certify']) : '';
 $mb_zip         = isset($_POST['mb_zip']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['mb_zip']) : '';

+// 관리자가 자동등록방지를 사용해야 할 경우 ( 회원의 비밀번호 변경시 캡챠를 체크한다 )
+if ($mb_password && function_exists('get_admin_captcha_by') && get_admin_captcha_by()) {
+    include_once(G5_CAPTCHA_PATH . '/captcha.lib.php');
+
+    if (!chk_captcha()) {
+        alert('자동등록방지 숫자가 틀렸습니다.');
+    }
+}
+
 // 휴대폰번호 체크
 $mb_hp = hyphen_hp_number($_POST['mb_hp']);
 if ($mb_hp) {
@ -289,6 +298,10 @@ if ($w == '' || $w == 'u') {
    }
 }

+if (function_exists('get_admin_captcha_by')) {
+    get_admin_captcha_by('remove');
+}
+
 run_event('admin_member_form_update', $w, $mb_id);

 goto_url('./member_form.php?' . $qstr . '&amp;w=u&amp;mb_id=' . $mb_id, false);