영카트 원격 코드 실행 취약점 수정(2017-1050)

adm/shop_admin/itemqaform.php

@@ -64,11 +64,11 @@ $qstr .= ($qstr ? '&' : '').'sca='.$sca;
     </tr>
     <tr>
         <th scope="row"><label for="iq_question">질문</label></th>
-        <td><?php echo editor_html('iq_question', get_text($iq['iq_question'], 0)); ?></td>
+        <td><?php echo editor_html('iq_question', get_text(html_purifier($iq['iq_question']), 0)); ?></td>
     </tr>
     <tr>
         <th scope="row"><label for="iq_answer">답변</label></th>
-        <td><?php echo editor_html('iq_answer', get_text($iq['iq_answer'], 0)); ?></td>
+        <td><?php echo editor_html('iq_answer', get_text(html_purifier($iq['iq_answer']), 0)); ?></td>
         <!-- <td><textarea name="iq_answer" id="iq_answer" rows="7"><?php echo get_text($iq['iq_answer']); ?></textarea></td> -->
     </tr>
     </tbody>

adm/shop_admin/itemuseform.php

@@ -75,7 +75,7 @@ $qstr .= ($qstr ? '&' : '').'sca='.$sca;
     </tr>
     <tr>
         <th scope="row">내용</th>
-        <td><?php echo editor_html('is_content', get_text($is['is_content'], 0)); ?></td>
+        <td><?php echo editor_html('is_content', get_text(html_purifier($is['is_content']), 0)); ?></td>
     </tr>
     <tr>
         <th scope="row"><label for="is_reply_subject">답변 제목</label></th>
@@ -84,7 +84,7 @@ $qstr .= ($qstr ? '&amp;' : '').'sca='.$sca;
     </tr>
     <tr>
         <th scope="row">답변 내용</th>
-        <td><?php echo editor_html('is_reply_content', get_text($is['is_reply_content'], 0)); ?></td>
+        <td><?php echo editor_html('is_reply_content', get_text(html_purifier($is['is_reply_content']), 0)); ?></td>
     </tr>
     <tr>
         <th scope="row">확인</th>

lib/shop.lib.php

@@ -629,6 +629,10 @@ function it_img_upload($srcfile, $filename, $dir)
     if($size[2] < 1 || $size[2] > 3)
         return '';
 
+    //php파일도 getimagesize 에서 Image Type Flag 를 속일수 있다
+    if (!preg_match('/\.(gif|jpe?g|png)$/i', $filename))
+        return '';
+
     if(!is_dir($dir)) {
         @mkdir($dir, G5_DIR_PERMISSION);
         @chmod($dir, G5_DIR_PERMISSION);

shop/itemqaformupdate.php

@@ -8,6 +8,7 @@ if (!$is_member) {
 $iq_id = (int) trim($_REQUEST['iq_id']);
 $iq_subject = trim($_POST['iq_subject']);
 $iq_question = trim($_POST['iq_question']);
+$iq_question = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $iq_question);
 $iq_answer = trim($_POST['iq_answer']);
 $hash = trim($_REQUEST['hash']);
 $get_editor_img_mode = $config['cf_editor'] ? false : true;

shop/itemuseformupdate.php

@@ -8,6 +8,7 @@ if (!$is_member) {
 $it_id       = trim($_REQUEST['it_id']);
 $is_subject  = trim($_POST['is_subject']);
 $is_content  = trim($_POST['is_content']);
+$is_content = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $is_content);
 $is_name     = trim($_POST['is_name']);
 $is_password = trim($_POST['is_password']);
 $is_score    = (int)$_POST['is_score'] > 5 ? 0 : (int)$_POST['is_score'];