From 7524d291889eb9bd5479e342a4d3090c2dcbe129 Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 1 Oct 2018 10:48:59 +0900 Subject: [PATCH] =?UTF-8?q?KVE-2018-0732=20=EC=B7=A8=EC=95=BD=EC=A0=90=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/admin.lib.php | 13 +++++++++++++ adm/member_list_update.php | 16 ++++++++-------- lib/common.lib.php | 2 ++ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/adm/admin.lib.php b/adm/admin.lib.php index 48baae0fd..99d145276 100644 --- a/adm/admin.lib.php +++ b/adm/admin.lib.php @@ -489,6 +489,19 @@ if (isset($stx)) $arr_query[] = 'stx='.$stx; if (isset($page)) $arr_query[] = 'page='.$page; $qstr = implode("&", $arr_query); +if ( isset($_REQUEST) && $_REQUEST ){ + if( admin_referer_check(true) ){ + + foreach( $_REQUEST as $key=>$value ){ + if( $value && preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && preg_match('/script.*?\/script/ius', $value) ){ + alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.'); + die(); + } + } + + } +} + // 관리자에서는 추가 스크립트는 사용하지 않는다. //$config['cf_add_script'] = ''; ?> \ No newline at end of file diff --git a/adm/member_list_update.php b/adm/member_list_update.php index eb6d8f791..915fdb880 100644 --- a/adm/member_list_update.php +++ b/adm/member_list_update.php @@ -29,19 +29,19 @@ if ($_POST['act_button'] == "선택수정") { $msg .= $mb['mb_id'].' : 로그인 중인 관리자는 수정 할 수 없습니다.\\n'; } else { if($_POST['mb_certify'][$k]) - $mb_adult = $_POST['mb_adult'][$k]; + $mb_adult = (int) $_POST['mb_adult'][$k]; else $mb_adult = 0; $sql = " update {$g5['member_table']} - set mb_level = '{$_POST['mb_level'][$k]}', - mb_intercept_date = '{$_POST['mb_intercept_date'][$k]}', - mb_mailling = '{$_POST['mb_mailling'][$k]}', - mb_sms = '{$_POST['mb_sms'][$k]}', - mb_open = '{$_POST['mb_open'][$k]}', - mb_certify = '{$_POST['mb_certify'][$k]}', + set mb_level = '".sql_real_escape_string($_POST['mb_level'][$k])."', + mb_intercept_date = '".sql_real_escape_string($_POST['mb_intercept_date'][$k])."', + mb_mailling = '".sql_real_escape_string($_POST['mb_mailling'][$k])."', + mb_sms = '".sql_real_escape_string($_POST['mb_sms'][$k])."', + mb_open = '".sql_real_escape_string($_POST['mb_open'][$k])."', + mb_certify = '".sql_real_escape_string($_POST['mb_certify'][$k])."', mb_adult = '{$mb_adult}' - where mb_id = '{$_POST['mb_id'][$k]}' "; + where mb_id = '".sql_real_escape_string($_POST['mb_id'][$k])."' "; sql_query($sql); } } diff --git a/lib/common.lib.php b/lib/common.lib.php index 77b78b5e9..8685f4e52 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -714,6 +714,8 @@ function get_group($gr_id) function get_member($mb_id, $fields='*') { global $g5; + + $mb_id = preg_replace("/[^0-9a-z_]+/i", "", $mb_id); return sql_fetch(" select $fields from {$g5['member_table']} where mb_id = TRIM('$mb_id') "); }