From 875a326344b2980c25f181c8e9579d2e59cafc09 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 12 Dec 2017 11:59:10 +0900
Subject: [PATCH] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20CSRF=20?=
 =?UTF-8?q?=EC=B7=A8=EC=95=BD=EC=A0=90(KVE-2017-0883,0884,0923)=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/member_list_update.php | 2 ++
 bbs/memo.php               | 4 +++-
 bbs/memo_delete.php        | 6 ++++++
 bbs/qadelete.php           | 6 ++++++
 bbs/qaview.php             | 3 ++-
 5 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/adm/member_list_update.php b/adm/member_list_update.php
index 6c5049a86..eb6d8f791 100644
--- a/adm/member_list_update.php
+++ b/adm/member_list_update.php
@@ -10,6 +10,8 @@ if (!count($_POST['chk'])) {
 
 auth_check($auth[$sub_menu], 'w');
 
+check_admin_token();
+
 if ($_POST['act_button'] == "선택수정") {
 
     for ($i=0; $i<count($_POST['chk']); $i++)
diff --git a/bbs/memo.php b/bbs/memo.php
index a6af0663c..56288d93f 100644
--- a/bbs/memo.php
+++ b/bbs/memo.php
@@ -4,6 +4,8 @@ include_once('./_common.php');
 if ($is_guest)
     alert_close('회원만 이용하실 수 있습니다.');
 
+set_session('ss_memo_delete_token', $token = uniqid(time()));
+
 $g5['title'] = '내 쪽지함';
 include_once(G5_PATH.'/head.sub.php');
 
@@ -65,7 +67,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
     $list[$i]['send_datetime'] = $send_datetime;
     $list[$i]['read_datetime'] = $read_datetime;
     $list[$i]['view_href'] = './memo_view.php?me_id='.$row['me_id'].'&amp;kind='.$kind;
-    $list[$i]['del_href'] = './memo_delete.php?me_id='.$row['me_id'].'&amp;kind='.$kind;
+    $list[$i]['del_href'] = './memo_delete.php?me_id='.$row['me_id'].'&amp;token='.$token.'&amp;kind='.$kind;
 }
 
 include_once($member_skin_path.'/memo.skin.php');
diff --git a/bbs/memo_delete.php b/bbs/memo_delete.php
index e80fc956d..743d8392e 100644
--- a/bbs/memo_delete.php
+++ b/bbs/memo_delete.php
@@ -4,6 +4,12 @@ include_once('./_common.php');
 if (!$is_member)
     alert('회원만 이용하실 수 있습니다.');
 
+$delete_token = get_session('ss_memo_delete_token');
+set_session('ss_memo_delete_token', '');
+
+if (!($token && $delete_token == $token))
+    alert('토큰 에러로 삭제 불가합니다.');
+
 $me_id = (int)$_REQUEST['me_id'];
 
 $sql = " select * from {$g5['memo_table']} where me_id = '{$me_id}' ";
diff --git a/bbs/qadelete.php b/bbs/qadelete.php
index bc22d1eba..a26fff7e1 100644
--- a/bbs/qadelete.php
+++ b/bbs/qadelete.php
@@ -4,6 +4,12 @@ include_once('./_common.php');
 if($is_guest)
     alert('회원이시라면 로그인 후 이용해 주십시오.', G5_URL);
 
+$delete_token = get_session('ss_qa_delete_token');
+set_session('ss_qa_delete_token', '');
+
+if (!($token && $delete_token == $token))
+    alert('토큰 에러로 삭제 불가합니다.');
+
 $tmp_array = array();
 if ($qa_id) // 건별삭제
     $tmp_array[0] = $qa_id;
diff --git a/bbs/qaview.php b/bbs/qaview.php
index f6b294468..1b5c38227 100644
--- a/bbs/qaview.php
+++ b/bbs/qaview.php
@@ -109,7 +109,8 @@ if(is_file($skin_file)) {
     */
     if(($view['qa_type'] && $is_admin) || (!$view['qa_type'] && $view['qa_status'] == 0)) {
         $update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
-        $delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$view['qa_id'].$qstr;
+        set_session('ss_qa_delete_token', $token = uniqid(time()));
+        $delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$view['qa_id'].'&amp;token='.$token.$qstr;
     }
 
     // 질문글이고 등록된 답변이 있다면