firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

영카트 Reflected XSS 취약점 수정( 17-0558 )

Browse Source
This commit is contained in:
thisgun
2017-09-06 19:19:14 +09:00
parent a431225576
commit 9810fd7475
8 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
adm/shop_admin/bannerformupdate.php
View File

@ -34,6 +34,8 @@ if( $bn_bimg || $bn_bimg_name ){
} }
} }
$bn_url = clean_xss_tags($bn_url);
if ($w=="") if ($w=="")
{ {
if (!$bn_bimg_name) alert('배너 이미지를 업로드 하세요.'); if (!$bn_bimg_name) alert('배너 이미지를 업로드 하세요.');

2
mobile/skin/shop/basic/mainbanner.10.skin.php
View File

@ -39,7 +39,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
if ($row['bn_url'][0] == '#') if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">'; $banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') { else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>'; $banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
} }
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>'; echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner) if($banner)

11
shop/bannerhit.php
View File

@ -1,6 +1,15 @@
<?php <?php
include_once("./_common.php"); include_once("./_common.php");
$bn_id = (int) $bn_id;
$sql = " select bn_id, bn_url from {$g5['g5_shop_banner_table']} where bn_id = '$bn_id' ";
$row = sql_fetch($sql);
if( ! $row['bn_id'] ){
alert('해당 배너가 존재하지 않습니다.', G5_SHOP_URL);
}
if ($_COOKIE['ck_bn_id'] != $bn_id) if ($_COOKIE['ck_bn_id'] != $bn_id)
{ {
$sql = " update {$g5['g5_shop_banner_table']} set bn_hit = bn_hit + 1 where bn_id = '$bn_id' "; $sql = " update {$g5['g5_shop_banner_table']} set bn_hit = bn_hit + 1 where bn_id = '$bn_id' ";
@ -9,5 +18,7 @@ if ($_COOKIE['ck_bn_id'] != $bn_id)
set_cookie("ck_bn_id", $bn_id, 60*60*24); set_cookie("ck_bn_id", $bn_id, 60*60*24);
} }
$url = clean_xss_tags($row['bn_url']);
goto_url($url); goto_url($url);
?> ?>

2
skin/shop/basic/boxbanner.skin.php
View File

@ -25,7 +25,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
if ($row['bn_url'][0] == '#') if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">'; $banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') { else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>'; $banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
} }
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" alt="'.$row['bn_alt'].'" width="'.$size[0].'" height="'.$size[1].'"'.$bn_border.'>'; echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" alt="'.$row['bn_alt'].'" width="'.$size[0].'" height="'.$size[1].'"'.$bn_border.'>';
if($banner) if($banner)

2
skin/shop/basic/mainbanner.10.skin.php
View File

@ -37,7 +37,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
if ($row['bn_url'][0] == '#') if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">'; $banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') { else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>'; $banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
} }
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>'; echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner) if($banner)

2
theme/basic/mobile/skin/shop/basic/mainbanner.10.skin.php
View File

@ -39,7 +39,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
if ($row['bn_url'][0] == '#') if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">'; $banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') { else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>'; $banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
} }
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>'; echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner) if($banner)

2
theme/basic/skin/shop/basic/boxbanner.skin.php
View File

@ -25,7 +25,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
if ($row['bn_url'][0] == '#') if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">'; $banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') { else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>'; $banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
} }
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" alt="'.$row['bn_alt'].'" width="'.$size[0].'" height="'.$size[1].'"'.$bn_border.'>'; echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" alt="'.$row['bn_alt'].'" width="'.$size[0].'" height="'.$size[1].'"'.$bn_border.'>';
if($banner) if($banner)

2
theme/basic/skin/shop/basic/mainbanner.10.skin.php
View File

@ -37,7 +37,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
if ($row['bn_url'][0] == '#') if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">'; $banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') { else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>'; $banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
} }
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>'; echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner) if($banner)