From 2541664ae2193589b2f2a159e255c4133565d9e0 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 12 Oct 2018 09:15:12 +0900
Subject: [PATCH 1/3] =?UTF-8?q?KVE-2018-0291=20=EC=B6=94=EA=B0=80=20?=
 =?UTF-8?q?=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugin/okname/ipin1.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plugin/okname/ipin1.php b/plugin/okname/ipin1.php
index 864995786..f448c216d 100644
--- a/plugin/okname/ipin1.php
+++ b/plugin/okname/ipin1.php
@@ -4,7 +4,9 @@ include_once('./_common.php');
 // 금일 인증시도 회수 체크
 certify_count_check($member['mb_id'], 'ipin');
 
-include_once('./ipin.config.php');
+// KISA 취약점 내용(KVE-2018-0291) hpcert1.php의 $cmd 함수에 대한 인자 값은 hpcert_config.php 파일에서 설정되나, 이를 다른 페이지에서 포함한 뒤 호출할 시 임의 값 설정 가능
+// 이에 include_once 를 include 로 수정함
+include('./ipin.config.php');
 
 $option = "C";// Option
 

From 784f63189625f2ee427e9a53b4a65b1759dd1464 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 17 Oct 2018 16:29:50 +0900
Subject: [PATCH 2/3] =?UTF-8?q?get=5Fselected=20get=5Fchecked=20=ED=95=A8?=
 =?UTF-8?q?=EC=88=98=20=EB=B9=84=EA=B5=90=EB=AC=B8=20=EC=BD=94=EB=93=9C=20?=
 =?UTF-8?q?=EB=8B=A4=EC=8B=9C=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index b9d16cc64..65f555a0d 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2070,12 +2070,20 @@ function abs_ip2long($ip='')
 
 function get_selected($field, $value)
 {
+    if( is_int($value) ){
+        return ((int) $field===$value) ? ' selected="selected"' : '';
+    }
+
     return ($field===$value) ? ' selected="selected"' : '';
 }
 
 
 function get_checked($field, $value)
 {
+    if( is_int($value) ){
+        return ((int) $field===$value) ? ' checked="checked"' : '';
+    }
+
     return ($field===$value) ? ' checked="checked"' : '';
 }
 

From aa7ffdf093272e96ac479589afc09c19848869b7 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 17 Oct 2018 18:01:42 +0900
Subject: [PATCH 3/3] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C5=20?=
 =?UTF-8?q?=EB=8B=A4=EC=A4=91=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95=20adm1nkyj(=20http://adm1nkyj.kr/=20)=20=EC=A0=9C?=
 =?UTF-8?q?=EB=B3=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/contentformupdate.php | 5 +++--
 bbs/content.php           | 2 ++
 bbs/view_image.php        | 3 +--
 g4_import_run.php         | 1 +
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php
index dff780a39..69f82f0b0 100644
--- a/adm/contentformupdate.php
+++ b/adm/contentformupdate.php
@@ -20,6 +20,7 @@ if ($w == "" || $w == "u")
     $co_row = sql_fetch($sql);
 }
 
+$co_id = preg_replace('/[^a-z0-9_]/i', '', $co_id);
 $co_subject = strip_tags($co_subject);
 $co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255));
 $co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
@@ -59,12 +60,12 @@ if( $co_include_tail ){
     }
 }
 
-if( $co_include_head && ! is_include_path_check($co_include_head) ){
+if( $co_include_head && ! is_include_path_check($co_include_head, 1) ){
     $co_include_head = '';
     $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.';
 }
 
-if( $co_include_tail && ! is_include_path_check($co_include_tail) ){
+if( $co_include_tail && ! is_include_path_check($co_include_tail, 1) ){
     $co_include_tail = '';
     $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
 }
diff --git a/bbs/content.php b/bbs/content.php
index f9551ed80..366e11e54 100644
--- a/bbs/content.php
+++ b/bbs/content.php
@@ -1,6 +1,8 @@
 <?php
 include_once('./_common.php');
 
+$co_id = preg_replace('/[^a-z0-9_]/i', '', $co_id);
+
 //dbconfig파일에 $g5['content_table'] 배열변수가 있는지 체크
 if( !isset($g5['content_table']) ){
     die('<meta charset="utf-8">관리자 모드에서 게시판관리->내용 관리를 먼저 확인해 주세요.');
diff --git a/bbs/view_image.php b/bbs/view_image.php
index 779f83a30..6bcd005e2 100644
--- a/bbs/view_image.php
+++ b/bbs/view_image.php
@@ -4,8 +4,7 @@ include_once('./_common.php');
 $g5['title'] = '이미지 크게보기';
 include_once(G5_PATH.'/head.sub.php');
 
-$filename = $_GET['fn'];
-$bo_table = $_GET['bo_table'];
+$filename = preg_replace('/[^A-Za-z0-9 _ .-]/', '', $_GET['fn']);
 
 if(strpos($filename, 'data/editor')) {
     $editor_file = strstr($filename, 'editor');
diff --git a/g4_import_run.php b/g4_import_run.php
index 259832777..6681df0e8 100644
--- a/g4_import_run.php
+++ b/g4_import_run.php
@@ -71,6 +71,7 @@ document.onkeydown = noRefresh ;
 <?php
 flush();
 
+$g4 = array();
 // g4의 confing.php
 require('./'.$g4_config_file);