From 43f4b2c5fb04b5bd885139bb31f9fb6d701e1d45 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Wed, 20 Jan 2016 14:29:32 +0900
Subject: [PATCH 1/5] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90(16-059)?=
 =?UTF-8?q?=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/formmail.php                                       | 6 ++++++
 mobile/skin/member/basic/formmail.skin.php             | 1 -
 skin/member/basic/formmail.skin.php                    | 1 -
 theme/basic/mobile/skin/member/basic/formmail.skin.php | 1 -
 theme/basic/skin/member/basic/formmail.skin.php        | 1 -
 5 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/bbs/formmail.php b/bbs/formmail.php
index 55a9847e5..fdeeab869 100644
--- a/bbs/formmail.php
+++ b/bbs/formmail.php
@@ -28,6 +28,12 @@ if ($sendmail_count > 3)
 $g5['title'] = '메일 쓰기';
 include_once(G5_PATH.'/head.sub.php');
 
+$email = get_email_address(base64_decode($email));
+if(!$email)
+    alert_close('이메일이 올바르지 않습니다.');
+
+$email = base64_encode($email);
+
 if (!$name)
     $name = base64_decode($email);
 else
diff --git a/mobile/skin/member/basic/formmail.skin.php b/mobile/skin/member/basic/formmail.skin.php
index bb1c32e7c..8d3eaead2 100644
--- a/mobile/skin/member/basic/formmail.skin.php
+++ b/mobile/skin/member/basic/formmail.skin.php
@@ -11,7 +11,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
     <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
     <input type="hidden" name="to" value="<?php echo $email ?>">
     <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php if ($is_member) { // 회원이면 ?>
     <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']); ?>">
     <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">
diff --git a/skin/member/basic/formmail.skin.php b/skin/member/basic/formmail.skin.php
index 9f821b06a..e57be622c 100644
--- a/skin/member/basic/formmail.skin.php
+++ b/skin/member/basic/formmail.skin.php
@@ -12,7 +12,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
     <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
     <input type="hidden" name="to" value="<?php echo $email ?>">
     <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php if ($is_member) { // 회원이면  ?>
     <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']); ?>">
     <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">
diff --git a/theme/basic/mobile/skin/member/basic/formmail.skin.php b/theme/basic/mobile/skin/member/basic/formmail.skin.php
index bb1c32e7c..8d3eaead2 100644
--- a/theme/basic/mobile/skin/member/basic/formmail.skin.php
+++ b/theme/basic/mobile/skin/member/basic/formmail.skin.php
@@ -11,7 +11,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
     <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
     <input type="hidden" name="to" value="<?php echo $email ?>">
     <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php if ($is_member) { // 회원이면 ?>
     <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']); ?>">
     <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">
diff --git a/theme/basic/skin/member/basic/formmail.skin.php b/theme/basic/skin/member/basic/formmail.skin.php
index 5d1ec65b5..274bbc96e 100644
--- a/theme/basic/skin/member/basic/formmail.skin.php
+++ b/theme/basic/skin/member/basic/formmail.skin.php
@@ -12,7 +12,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
     <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
     <input type="hidden" name="to" value="<?php echo $email ?>">
     <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php if ($is_member) { // 회원이면  ?>
     <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']) ?>">
     <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">

From e9023340ddd2d94f108d7b3b4ea10dc277583a70 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Wed, 20 Jan 2016 14:46:13 +0900
Subject: [PATCH 2/5] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90(16-060)?=
 =?UTF-8?q?=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/member_confirm.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
index 9f214f289..e5abe169e 100644
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@@ -19,6 +19,8 @@ $url = clean_xss_tags($_GET['url']);
 // url 체크
 check_url_host($url);
 
+$url = get_text($url);
+
 include_once($member_skin_path.'/member_confirm.skin.php');
 
 include_once('./_tail.sub.php');

From f3abd57925603b25225bf9291281587eb6034304 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Wed, 20 Jan 2016 14:51:16 +0900
Subject: [PATCH 3/5] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90(15-727)?=
 =?UTF-8?q?=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugin/editor/smarteditor2/sample.php | 33 ---------------------------
 1 file changed, 33 deletions(-)
 delete mode 100644 plugin/editor/smarteditor2/sample.php

diff --git a/plugin/editor/smarteditor2/sample.php b/plugin/editor/smarteditor2/sample.php
deleted file mode 100644
index a5e2b8b82..000000000
--- a/plugin/editor/smarteditor2/sample.php
+++ /dev/null
@@ -1,33 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" lang="ko" xml:lang="ko">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title>Smart Editor&#8482; WYSIWYG Mode</title>
-<link href="../../css/compiled/open/ko_KR/smart_editor2_in.css" rel="stylesheet" type="text/css">
-</head>
-<body class="smartOutput se2_inputarea">
-	<p>
-		<b><u>에디터 내용:</u></b>
-	</p>
-
-	<div style="width:736px;">
-	<?php
-		$postMessage = $_POST["ir1"]; 
-		echo $postMessage;
-	?>
-	</div>
-	
-	<hr>
-	<p>
-		<b><span style="color:#FF0000">주의: </span>sample.php는 샘플 파일로 정상 동작하지 않을 수 있습니다. 이 점 주의바랍니다.</b>
-	</p>
-	
-	<?php echo(htmlspecialchars_decode('&lt;img id="test" width="0" height="0"&gt;'))?>
-	
-<script>
-	if(!document.getElementById("test")) {
-		alert("PHP가 실행되지 않았습니다. 내용을 로컬 파일로 전송한 것이 아니라 서버로 전송했는지 확인 해 주십시오.");
-	}
-</script>
-</body>
-</html>
\ No newline at end of file

From 714d64afb6c68b6cc57e6e852af18e666ae7b962 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Wed, 20 Jan 2016 16:23:38 +0900
Subject: [PATCH 4/5] =?UTF-8?q?Reflected=20XSS=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90(16-036)=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/alert.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bbs/alert.php b/bbs/alert.php
index 6b1ab26a7..dabe311f6 100644
--- a/bbs/alert.php
+++ b/bbs/alert.php
@@ -33,6 +33,8 @@ $msg2 = str_replace("\\n", "<br>", $msg);
 $url = clean_xss_tags($url);
 if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);
 
+$url = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", $url);
+
 // url 체크
 check_url_host($url);
 

From 88c95375f00edf53e5cea5404c6a2c6ba0e0828f Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Wed, 27 Jan 2016 14:59:49 +0900
Subject: [PATCH 5/5] =?UTF-8?q?=EB=B9=84=EB=B0=80=20=EB=8C=93=EA=B8=80=20?=
 =?UTF-8?q?=EB=85=B8=EC=B6=9C=20=EC=B7=A8=EC=95=BD=EC=A0=90(16-067)=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mobile/skin/board/basic/view_comment.skin.php               | 4 +++-
 mobile/skin/board/gallery/view_comment.skin.php             | 4 +++-
 skin/board/basic/view_comment.skin.php                      | 4 +++-
 skin/board/gallery/view_comment.skin.php                    | 4 +++-
 theme/basic/mobile/skin/board/basic/view_comment.skin.php   | 4 +++-
 theme/basic/mobile/skin/board/gallery/view_comment.skin.php | 4 +++-
 theme/basic/skin/board/basic/view_comment.skin.php          | 4 +++-
 theme/basic/skin/board/gallery/view_comment.skin.php        | 4 +++-
 8 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/mobile/skin/board/basic/view_comment.skin.php b/mobile/skin/board/basic/view_comment.skin.php
index c6984f652..4640365e4 100644
--- a/mobile/skin/board/basic/view_comment.skin.php
+++ b/mobile/skin/board/basic/view_comment.skin.php
@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/mobile/skin/board/gallery/view_comment.skin.php b/mobile/skin/board/gallery/view_comment.skin.php
index c6984f652..4640365e4 100644
--- a/mobile/skin/board/gallery/view_comment.skin.php
+++ b/mobile/skin/board/gallery/view_comment.skin.php
@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/skin/board/basic/view_comment.skin.php b/skin/board/basic/view_comment.skin.php
index 20d997b44..1169827de 100644
--- a/skin/board/basic/view_comment.skin.php
+++ b/skin/board/basic/view_comment.skin.php
@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/skin/board/gallery/view_comment.skin.php b/skin/board/gallery/view_comment.skin.php
index d39ada994..1a46d3b9c 100644
--- a/skin/board/gallery/view_comment.skin.php
+++ b/skin/board/gallery/view_comment.skin.php
@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/theme/basic/mobile/skin/board/basic/view_comment.skin.php b/theme/basic/mobile/skin/board/basic/view_comment.skin.php
index c6984f652..4640365e4 100644
--- a/theme/basic/mobile/skin/board/basic/view_comment.skin.php
+++ b/theme/basic/mobile/skin/board/basic/view_comment.skin.php
@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/theme/basic/mobile/skin/board/gallery/view_comment.skin.php b/theme/basic/mobile/skin/board/gallery/view_comment.skin.php
index c6984f652..4640365e4 100644
--- a/theme/basic/mobile/skin/board/gallery/view_comment.skin.php
+++ b/theme/basic/mobile/skin/board/gallery/view_comment.skin.php
@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/theme/basic/skin/board/basic/view_comment.skin.php b/theme/basic/skin/board/basic/view_comment.skin.php
index 8c6deacbc..23a29b17a 100644
--- a/theme/basic/skin/board/basic/view_comment.skin.php
+++ b/theme/basic/skin/board/basic/view_comment.skin.php
@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 
diff --git a/theme/basic/skin/board/gallery/view_comment.skin.php b/theme/basic/skin/board/gallery/view_comment.skin.php
index ea87902ed..ae8515d92 100644
--- a/theme/basic/skin/board/gallery/view_comment.skin.php
+++ b/theme/basic/skin/board/gallery/view_comment.skin.php
@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }