그누보드 SQL Injection 취약점 (18-0075) 수정

bbs/delete.php

@@ -80,7 +80,7 @@ while ($row = sql_fetch_array($result))
         $sql2 = " select * from {$g5['board_file_table']} where bo_table = '$bo_table' and wr_id = '{$row['wr_id']}' ";
         $result2 = sql_query($sql2);
         while ($row2 = sql_fetch_array($result2)) {
-            @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.$row2['bf_file']);
+            @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.str_replace('../', '', $row2['bf_file']));
             // 썸네일삭제
             if(preg_match("/\.({$config['cf_image_extension']})$/i", $row2['bf_file'])) {
                 delete_board_thumbnail($bo_table, $row2['bf_file']);

bbs/delete_all.php

@@ -98,7 +98,7 @@ for ($i=$chk_count-1; $i>=0; $i--)
             $result2 = sql_query($sql2);
             while ($row2 = sql_fetch_array($result2)) {
                 // 파일삭제
-                @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.$row2['bf_file']);
+                @unlink(G5_DATA_PATH.'/file/'.$bo_table.'/'.str_replace('../', '',$row2['bf_file']));
 
                 // 썸네일삭제
                 if(preg_match("/\.({$config['cf_image_extension']})$/i", $row2['bf_file'])) {

bbs/move_update.php

@@ -28,7 +28,14 @@ while ($row = sql_fetch_array($result))
     $wr_num = $row['wr_num'];
     for ($i=0; $i<count($_POST['chk_bo_table']); $i++)
     {
-        $move_bo_table = $_POST['chk_bo_table'][$i];
+        $move_bo_table = preg_replace('/[^a-z0-9_]/i', '', $_POST['chk_bo_table'][$i]);
+
+        // 취약점 18-0075 참고
+        $sql = "select * from {$g5['board_table']} where bo_table = '".sql_real_escape_string($move_bo_table)."' ";
+        $move_board = sql_fetch($sql);
+        // 존재하지 않다면
+        if( !$move_board['bo_table'] ) continue;
+
         $move_write_table = $g5['write_prefix'] . $move_bo_table;
 
         $src_dir = G5_DATA_PATH.'/file/'.$bo_table; // 원본 디렉토리