From 6c867f02b4f19cfb1bd6aa484cbee548eb6bf64b Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 16 Mar 2018 16:39:07 +0900
Subject: [PATCH] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20SQL=20In?=
 =?UTF-8?q?jection=20=EC=B7=A8=EC=95=BD=EC=A0=90=20(18-0075)=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/delete.php             |  2 +-
 bbs/delete_all.php         |  2 +-
 bbs/move_update.php        |  9 ++++++++-
 install/install_config.php |  2 +-
 install/install_db.php     | 12 +++++++++++-
 5 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/bbs/delete.php b/bbs/delete.php
index 09639a194..8f3cc9bcd 100644
--- a/bbs/delete.php
+++ b/bbs/delete.php
@@ -80,7 +80,7 @@ while ($row = sql_fetch_array($result))
         $sql2 = " select * from {$g5['board_file_table']} where bo_table = '$bo_table' and wr_id = '{$row['wr_id']}' ";
         $result2 = sql_query($sql2);
         while ($row2 = sql_fetch_array($result2)) {
-            @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.$row2['bf_file']);
+            @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.str_replace('../', '', $row2['bf_file']));
             // 썸네일삭제
             if(preg_match("/\.({$config['cf_image_extension']})$/i", $row2['bf_file'])) {
                 delete_board_thumbnail($bo_table, $row2['bf_file']);
diff --git a/bbs/delete_all.php b/bbs/delete_all.php
index f7c6179bf..943045b19 100644
--- a/bbs/delete_all.php
+++ b/bbs/delete_all.php
@@ -98,7 +98,7 @@ for ($i=$chk_count-1; $i>=0; $i--)
             $result2 = sql_query($sql2);
             while ($row2 = sql_fetch_array($result2)) {
                 // 파일삭제
-                @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.$row2['bf_file']);
+                @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.str_replace('../', '',$row2['bf_file']));
 
                 // 썸네일삭제
                 if(preg_match("/\.({$config['cf_image_extension']})$/i", $row2['bf_file'])) {
diff --git a/bbs/move_update.php b/bbs/move_update.php
index 78abbd8cd..fd48087fe 100644
--- a/bbs/move_update.php
+++ b/bbs/move_update.php
@@ -28,7 +28,14 @@ while ($row = sql_fetch_array($result))
     $wr_num = $row['wr_num'];
     for ($i=0; $i<count($_POST['chk_bo_table']); $i++)
     {
-        $move_bo_table = $_POST['chk_bo_table'][$i];
+        $move_bo_table = preg_replace('/[^a-z0-9_]/i', '', $_POST['chk_bo_table'][$i]);
+
+        // 취약점 18-0075 참고
+        $sql = "select * from {$g5['board_table']} where bo_table = '".sql_real_escape_string($move_bo_table)."' ";
+        $move_board = sql_fetch($sql);
+        // 존재하지 않다면
+        if( !$move_board['bo_table'] ) continue;
+
         $move_write_table = $g5['write_prefix'] . $move_bo_table;
 
         $src_dir = G5_DATA_PATH.'/file/'.$bo_table; // 원본 디렉토리
diff --git a/install/install_config.php b/install/install_config.php
index a6581af2d..7020c6647 100644
--- a/install/install_config.php
+++ b/install/install_config.php
@@ -140,7 +140,7 @@ function frm_install_submit(f)
         alert('최고관리자 E-mail 을 입력하십시오.'); f.admin_email.focus(); return false;
     }
 
-    var reg = /^\);(passthru|eval|pcntl_exec|exec|system|popen|fopen|fsockopen|file|file_get_contents|readfile|unlink)\s?\(\$_(get|post|request)\s?\[.*?\]\s?\)/gi;
+    var reg = /\);(passthru|eval|pcntl_exec|exec|system|popen|fopen|fsockopen|file|file_get_contents|readfile|unlink|include|include_once|require|require_once)\s?\(\$_(get|post|request)\s?\[.*?\]\s?\)/gi;
     var reg_msg = " 에 유효하지 않는 문자가 있습니다. 다른 문자로 대체해 주세요.";
 
     if( reg.test(f.mysql_host.value) ){
diff --git a/install/install_db.php b/install/install_db.php
index 425e52de1..ed6282bbc 100644
--- a/install/install_db.php
+++ b/install/install_db.php
@@ -14,7 +14,17 @@ include_once ('../lib/common.lib.php');
 
 if( ! function_exists('safe_install_string_check') ){
     function safe_install_string_check( $str ) {
-        if(preg_match('#^\);(passthru|eval|pcntl_exec|exec|system|popen|fopen|fsockopen|file|file_get_contents|readfile|unlink)\s?\(\$_(get|post|request)\s?\[.*?\]\s?\)#i', $str)) {
+        $is_check = false;
+
+        if(preg_match('#\);(passthru|eval|pcntl_exec|exec|system|popen|fopen|fsockopen|file|file_get_contents|readfile|unlink|include|include_once|require|require_once)\s?#i', $str)) {
+            $is_check = true;
+        }
+
+        if(preg_match('#\$_(get|post|request)\s?\[.*?\]\s?\)#i', $str)){
+            $is_check = true;
+        }
+
+        if($is_check){
             die("입력한 값에 안전하지 않는 문자가 포함되어 있습니다. 설치를 중단합니다.");
         }