[KVE-2022-0175] 그누보드 sql 취약점 수정

2022-06-23 14:29:14 +09:00
parent 2366e8ebfb
commit 929183b3e3
9 changed files with 39 additions and 11 deletions
--- a/adm/admin.head.php
+++ b/adm/admin.head.php
@ -87,6 +87,7 @@ if (!empty($_COOKIE['g5_admin_btn_gnb'])) {
 ?>

 <script>
+    var g5_admin_csrf_token_key = "<?php echo (function_exists('admin_csrf_token_key')) ? admin_csrf_token_key() : ''; ?>";
    var tempX = 0;
    var tempY = 0;

--- a/adm/admin.js
+++ b/adm/admin.js
@ -83,11 +83,13 @@ function delete_confirm2(msg)

 function get_ajax_token()
 {
-    var token = "";
+    var token = "",
+        admin_csrf_token_key = (typeof g5_admin_csrf_token_key !== "undefined") ? g5_admin_csrf_token_key : "";

    $.ajax({
        type: "POST",
        url: g5_admin_url+"/ajax.token.php",
+        data : {admin_csrf_token_key:admin_csrf_token_key},
        cache: false,
        async: false,
        dataType: "json",
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@ -481,6 +481,18 @@ function check_admin_token()
    return true;
 }

+function admin_csrf_token_key($is_must=0){
+    global $member;
+
+    $key = '';
+
+    if($is_must || !((isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'))){
+        $key = md5((isset($_SERVER['SERVER_SOFTWARE']) ? $_SERVER['SERVER_SOFTWARE'] : '').(defined('G5_TOKEN_ENCRYPTION_KEY') ? G5_TOKEN_ENCRYPTION_KEY : '').$member['mb_id'].$_SERVER['DOCUMENT_ROOT']);
+    }
+
+    return run_replace('admin_csrf_token_key', $key, $is_must);
+}
+
 // 관리자 페이지 referer 체크
 function admin_referer_check($return = false)
 {
--- a/adm/ajax.token.php
+++ b/adm/ajax.token.php
@ -3,6 +3,12 @@ require_once './_common.php';

 set_session('ss_admin_token', '');

+$admin_csrf_token_key = isset($_POST['admin_csrf_token_key']) ? $_POST['admin_csrf_token_key'] : '';
+
+if(function_exists('admin_csrf_token_key') && $admin_csrf_token_key !== admin_csrf_token_key(1)){
+    die(json_encode(array('error' => '토큰키 에러!', 'url' => G5_URL)));
+}
+
 $error = admin_referer_check(true);
 if ($error) {
    die(json_encode(array('error' => $error, 'url' => G5_URL)));
--- a/adm/board_copy.php
+++ b/adm/board_copy.php
@ -7,12 +7,13 @@ auth_check_menu($auth, $sub_menu, 'w');
 $g5['title'] = '게시판 복사';
 require_once G5_PATH . '/head.sub.php';

-$bo_table = $_REQUEST['bo_table'];
 if (empty($bo_table)) {
    alert_close("정상적인 방법으로 이용해주세요.");
 }
 ?>
-
+<script>
+    var g5_admin_csrf_token_key = "<?php echo (function_exists('admin_csrf_token_key')) ? admin_csrf_token_key() : ''; ?>";
+</script>
 <script src="<?php echo G5_ADMIN_URL ?>/admin.js?ver=<?php echo G5_JS_VER; ?>"></script>

 <div class="new_win">
--- a/adm/board_copy_update.php
+++ b/adm/board_copy_update.php
@ -89,10 +89,10 @@ $sql = " insert into {$g5['board_table']}
                bo_new = '{$board['bo_new']}',
                bo_hot = '{$board['bo_hot']}',
                bo_image_width = '{$board['bo_image_width']}',
-                bo_skin = '{$board['bo_skin']}',
-                bo_mobile_skin = '{$board['bo_mobile_skin']}',
-                bo_include_head = '{$board['bo_include_head']}',
-                bo_include_tail = '{$board['bo_include_tail']}',
+                bo_skin = '" . sql_real_escape_string($board['bo_skin']). "',
+                bo_mobile_skin = '" . sql_real_escape_string($board['bo_mobile_skin']). "',
+                bo_include_head = '" . sql_real_escape_string($board['bo_include_head']). "',
+                bo_include_tail = '" . sql_real_escape_string($board['bo_include_tail']). "',
                bo_content_head = '" . addslashes($board['bo_content_head']) . "',
                bo_content_tail = '" . addslashes($board['bo_content_tail']) . "',
                bo_mobile_content_head = '" . addslashes($board['bo_mobile_content_head']) . "',
--- a/adm/board_form_update.php
+++ b/adm/board_form_update.php
@ -161,6 +161,10 @@ $bo_comment_min = isset($_POST['bo_comment_min']) ? (int) $_POST['bo_comment_min
 $bo_comment_max = isset($_POST['bo_comment_max']) ? (int) $_POST['bo_comment_max'] : 0;
 $bo_sort_field = isset($_POST['bo_sort_field']) ? clean_xss_tags($_POST['bo_sort_field'], 1, 1) : '';

+if (strpbrk($bo_skin.$bo_mobile_skin, "?%*:|\"<>") !== false) {
+    alert('스킨 디렉토리명 오류!');
+}
+
 $etcs = array();

 for ($i = 1; $i <= 10; $i++) {
--- a/extend/version.extend.php
+++ b/extend/version.extend.php
@ -2,7 +2,7 @@
 if (!defined('_GNUBOARD_')) exit; // 개별 페이지 접근 불가

 // 자바스크립트와 CSS 파일을 새로 다운로드 하도록 파일의 끝에 년월일 지정
-// 예) https://도메인/css/default.css?ver=210618
-// 예) https://도메인/js/common.js?ver=210618
-define('G5_CSS_VER', '210618');
-define('G5_JS_VER',  '210618');
+// 예) https://도메인/css/default.css?ver=220620
+// 예) https://도메인/js/common.js?ver=220620
+define('G5_CSS_VER', '220620');
+define('G5_JS_VER',  '220620');
--- a/mobile/shop/orderaddress.php
+++ b/mobile/shop/orderaddress.php
@ -1,6 +1,8 @@
 <?php
 include_once('./_common.php');

+$order_action_url = G5_HTTPS_SHOP_URL.'/orderaddressupdate.php';
+
 // 테마에 orderaddress.php 있으면 include
 if(defined('G5_THEME_MSHOP_PATH')) {
    $theme_orderaddress_file = G5_THEME_MSHOP_PATH.'/orderaddress.php';