From 6da105bd6429779e13c0229f7963d969d17ed269 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Thu, 4 Jun 2020 15:13:20 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2020-0288,0319,0320]=EA=B7=B8=EB=88=84?=
 =?UTF-8?q?=EB=B3=B4=EB=93=9C=20=EB=8B=A4=EC=A4=91=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/admin.lib.php              |  2 +-
 adm/auth_list.php              | 20 +++++++++++++++++++-
 adm/auth_update.php            | 17 +++++++++++++++++
 adm/sms_admin/history_view.php |  1 +
 lib/common.lib.php             |  3 ++-
 5 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index 7f0d6f63e..c5d4ada2b 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -477,7 +477,7 @@ function admin_check_xss_params($params){
 
         if( is_array($value) ){
             admin_check_xss_params($value);
-        } else if ( (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || (preg_match('/[onload|onerror]=.*/ius', $value) && preg_match('/(eval|expression|exec|prompt)(\s*)\((.*)\)/ius', $value)) ){
+        } else if ( (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || (preg_match('/[onload|onerror|focus]=.*/ius', $value) && preg_match('/(eval|expression|exec|prompt)(\s*)\((.*)\)/ius', $value)) ){
             alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.', G5_URL);
             die();
         }
diff --git a/adm/auth_list.php b/adm/auth_list.php
index 76c14406e..fea4626e8 100644
--- a/adm/auth_list.php
+++ b/adm/auth_list.php
@@ -160,7 +160,7 @@ $pagelist = get_paging(G5_IS_MOBILE ? $config['cf_mobile_pages'] : $config['cf_w
 echo $pagelist;
 ?>
 
-<form name="fauthlist2" id="fauthlist2" action="./auth_update.php" method="post" autocomplete="off">
+<form name="fauthlist2" id="fauthlist2" action="./auth_update.php" method="post" autocomplete="off" onsubmit="return fauth_add_submit(this);">
 <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
 <input type="hidden" name="stx" value="<?php echo $stx ?>">
 <input type="hidden" name="sst" value="<?php echo $sst ?>">
@@ -218,6 +218,17 @@ echo $pagelist;
                 <label for="d">d (삭제)</label>
             </td>
         </tr>
+        <tr>
+            <th scope="row">자동등록방지</th>
+            <td>
+                <?php
+                include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+                $captcha_html = captcha_html();
+                $captcha_js   = chk_captcha_js();
+                echo $captcha_html;
+                ?>
+            </td>
+        </tr>
         </tbody>
         </table>
     </div>
@@ -230,6 +241,13 @@ echo $pagelist;
 </form>
 
 <script>
+function fauth_add_submit(f){
+    
+    <?php echo $captcha_js; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함  ?>
+
+    return true;
+}
+
 function fauthlist_submit(f)
 {
     if (!is_checked("chk[]")) {
diff --git a/adm/auth_update.php b/adm/auth_update.php
index 44a0ff437..1e2bc15a8 100644
--- a/adm/auth_update.php
+++ b/adm/auth_update.php
@@ -1,6 +1,7 @@
 <?php
 $sub_menu = "100200";
 include_once('./_common.php');
+include_once(G5_LIB_PATH.'/mailer.lib.php');
 
 if ($is_admin != 'super')
     alert('최고관리자만 접근 가능합니다.');
@@ -11,6 +12,12 @@ if (!$mb['mb_id'])
 
 check_admin_token();
 
+include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+
+if (!chk_captcha()) {
+    alert('자동등록방지 숫자가 틀렸습니다.');
+}
+
 $sql = " insert into {$g5['auth_table']}
             set mb_id   = '{$_POST['mb_id']}',
                 au_menu = '{$_POST['au_menu']}',
@@ -26,5 +33,15 @@ if (!$result) {
 
 //sql_query(" OPTIMIZE TABLE `$g5['auth_table']` ");
 
+// 세션을 체크하여 하루에 한번만 메일알림이 가게 합니다.
+if( str_replace('-', '', G5_TIME_YMD) !== get_session('adm_auth_update') ){
+    $site_url = preg_replace('/^www\./', '', strtolower($_SERVER['SERVER_NAME']));
+    $to_email = 'gnuboard@'.$site_url;
+
+    mailer($config['cf_admin_email_name'], $to_email, $config['cf_admin_email'], '['.$config['cf_title'].'] 관리권한설정 알림', '<p><b>['.$config['cf_title'].'] 관리권한설정 변경 안내</b></p><p style="padding-top:1em">회원 아이디 '.$mb['mb_id'].' 에 관리권한이 추가 되었습니다.</p><p style="padding-top:1em">'.G5_TIME_YMDHIS.'</p><p style="padding-top:1em"><a href="'.G5_URL.'" target="_blank">'.$config['cf_title'].'</a></p>', 1);
+
+    set_session('adm_auth_update', str_replace('-', '', G5_TIME_YMD));
+}
+
 goto_url('./auth_list.php?'.$qstr);
 ?>
diff --git a/adm/sms_admin/history_view.php b/adm/sms_admin/history_view.php
index 905aff78c..4ea64a885 100644
--- a/adm/sms_admin/history_view.php
+++ b/adm/sms_admin/history_view.php
@@ -4,6 +4,7 @@ include_once("./_common.php");
 
 $spage_size = 20;
 $colspan = 10;
+$re_text = '';
 
 $st = isset($st) ? strip_tags($st) : '';
 $ssv = isset($ssv) ? strip_tags($ssv) : '';
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 971960623..28d11c731 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3115,7 +3115,8 @@ function member_delete($mb_id)
     }
 
     // 회원자료는 정보만 없앤 후 아이디는 보관하여 다른 사람이 사용하지 못하도록 함 : 061025
-    $sql = " update {$g5['member_table']} set mb_password = '', mb_level = 1, mb_email = '', mb_homepage = '', mb_tel = '', mb_hp = '', mb_zip1 = '', mb_zip2 = '', mb_addr1 = '', mb_addr2 = '', mb_birth = '', mb_sex = '', mb_signature = '', mb_memo = '".date('Ymd', G5_SERVER_TIME)." 삭제함\n{$mb['mb_memo']}' where mb_id = '{$mb_id}' ";
+    $sql = " update {$g5['member_table']} set mb_password = '', mb_level = 1, mb_email = '', mb_homepage = '', mb_tel = '', mb_hp = '', mb_zip1 = '', mb_zip2 = '', mb_addr1 = '', mb_addr2 = '', mb_birth = '', mb_sex = '', mb_signature = '', mb_memo = '".date('Ymd', G5_SERVER_TIME)." 삭제함\n".sql_real_escape_string($mb['mb_memo'])."' where mb_id = '{$mb_id}' ";
+
     sql_query($sql);
 
     // 포인트 테이블에서 삭제