KVE-2019-0829 영카트 XSS 취약점 수정

2019-05-24 18:40:02 +09:00
parent 6b2e0e9b58
commit a0fa82eabe
10 changed files with 49 additions and 9 deletions
--- a/adm/shop_admin/couponformupdate.php
+++ b/adm/shop_admin/couponformupdate.php
@ -8,6 +8,25 @@ check_admin_token();

 $_POST = array_map('trim', $_POST);

+$check_sanitize_keys = array(
+'cp_subject',       // 쿠폰이름
+'cp_method',        // 쿠폰종류
+'cp_target',        // 적용상품
+'mb_id',            // 회원아이디
+'cp_start',         // 사용시작일
+'cp_end',           // 사용종료일
+'cp_type',          // 쿠폰타입
+'cp_price',         // 할인금액
+'cp_type',          // 할인금액타입
+'cp_trunc',         // 절사금액
+'cp_minimum',       // 최소주문금액
+'cp_maximum',       // 최대할인금액
+);
+
+foreach( $check_sanitize_keys as $key ){
+    $$key = $_POST[$key] = isset($_POST[$key]) ? strip_tags($_POST[$key]) : '';
+}
+
 if(!$_POST['cp_subject'])
    alert('쿠폰이름을 입력해 주십시오.');

--- a/adm/shop_admin/couponlist_delete.php
+++ b/adm/shop_admin/couponlist_delete.php
@ -17,7 +17,7 @@ for ($i=0; $i<$count; $i++)
    // 실제 번호를 넘김
    $k = $_POST['chk'][$i];

-    $sql = " delete from {$g5['g5_shop_coupon_table']} where cp_id = '{$_POST['cp_id'][$k]}' ";
+    $sql = " delete from {$g5['g5_shop_coupon_table']} where cp_id = '".preg_replace('/[^a-z0-9_\-]/i', '', $_POST['cp_id'][$k])."' ";
    sql_query($sql);
 }

--- a/adm/shop_admin/couponzoneformupdate.php
+++ b/adm/shop_admin/couponzoneformupdate.php
@ -11,6 +11,26 @@ check_admin_token();

 $_POST = array_map('trim', $_POST);

+$check_sanitize_keys = array(
+'cz_subject',       // 쿠폰이름
+'cz_type',          // 발행쿠폰타입
+'cz_start',         // 사용시작일
+'cz_end',           // 사용종료일
+'cz_period',        // 쿠폰사용기한
+'cz_point',         // 쿠폰교환 포인트
+'cp_method',        // 발급쿠폰종류
+'cp_target',        // 적용상품
+'cp_price',         // 할인금액
+'cp_type',          // 할인금액타입
+'cp_trunc',         // 절사금액
+'cp_minimum',       // 최소주문금액
+'cp_maximum',       // 최대할인금액
+);
+
+foreach( $check_sanitize_keys as $key ){
+    $$key = $_POST[$key] = isset($_POST[$key]) ? strip_tags($_POST[$key]) : '';
+}
+
 if(!$_POST['cz_subject'])
    alert('쿠폰이름을 입력해 주십시오.');

--- a/adm/shop_admin/itemeventform.php
+++ b/adm/shop_admin/itemeventform.php
@ -309,13 +309,13 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
    <tr>
        <th scope="row">상단내용</th>
        <td>
-            <?php echo editor_html('ev_head_html', get_text($ev['ev_head_html'], 0)); ?>
+            <?php echo editor_html('ev_head_html', get_text(html_purifier($ev['ev_head_html']), 0)); ?>
        </td>
    </tr>
    <tr>
        <th scope="row">하단내용</th>
        <td>
-            <?php echo editor_html('ev_tail_html', get_text($ev['ev_tail_html'], 0)); ?>
+            <?php echo editor_html('ev_tail_html', get_text(html_purifier($ev['ev_tail_html']), 0)); ?>
        </td>
    </tr>
    </tbody>
--- a/adm/shop_admin/itemeventformupdate.php
+++ b/adm/shop_admin/itemeventformupdate.php
@ -26,6 +26,7 @@ $skin_regex_patten = "^list.[0-9]+\.skin\.php";

 $ev_skin = (preg_match("/$skin_regex_patten/", $ev_skin) && file_exists(G5_SHOP_SKIN_PATH.'/'.$ev_skin)) ? $ev_skin : ''; 
 $ev_mobile_skin = (preg_match("/$skin_regex_patten/", $ev_mobile_skin) && file_exists(G5_MSHOP_SKIN_PATH.'/'.$ev_mobile_skin)) ? $ev_mobile_skin : ''; 
+$ev_subject = strip_tags($ev_subject);

 $sql_common = " set ev_skin             = '$ev_skin',
                    ev_mobile_skin      = '$ev_mobile_skin',
--- a/adm/shop_admin/sendcostupdate.php
+++ b/adm/shop_admin/sendcostupdate.php
@ -18,11 +18,11 @@ if($w == 'd') {
    for($i=0; $i<$count; $i++) {
        $k = $_POST['chk'][$i];

-        $sc_id = $_POST['sc_id'][$k];
+        $sc_id = (int) $_POST['sc_id'][$k];
        sql_query(" delete from {$g5['g5_shop_sendcost_table']} where sc_id = '$sc_id' ");
    }
 } else {
-    $sc_name = trim($_POST['sc_name']);
+    $sc_name = trim(strip_tags($_POST['sc_name']));
    $sc_zip1 = preg_replace('/[^0-9]/', '', $_POST['sc_zip1']);
    $sc_zip2 = preg_replace('/[^0-9]/', '', $_POST['sc_zip2']);
    $sc_price = preg_replace('/[^0-9]/', '', $_POST['sc_price']);
--- a/mobile/skin/member/basic/login.skin.php
+++ b/mobile/skin/member/basic/login.skin.php
@ -55,7 +55,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
        </p>

        <div id="guest_privacy">
-            <?php echo $default['de_guest_privacy']; ?>
+            <?php echo conv_content($default['de_guest_privacy'], $config['cf_editor']); ?>
        </div>

        <label for="agree">개인정보수집에 대한 내용을 읽었으며 이에 동의합니다.</label>
--- a/skin/member/basic/login.skin.php
+++ b/skin/member/basic/login.skin.php
@ -53,7 +53,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
        </p>

        <div id="guest_privacy">
-            <?php echo $default['de_guest_privacy']; ?>
+            <?php echo conv_content($default['de_guest_privacy'], $config['cf_editor']); ?>
        </div>

        <label for="agree">개인정보수집에 대한 내용을 읽었으며 이에 동의합니다.</label>
--- a/theme/basic/mobile/skin/member/basic/login.skin.php
+++ b/theme/basic/mobile/skin/member/basic/login.skin.php
@ -55,7 +55,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
        </p>

        <div id="guest_privacy">
-            <?php echo $default['de_guest_privacy']; ?>
+            <?php echo conv_content($default['de_guest_privacy'], $config['cf_editor']); ?>
        </div>

        <label for="agree">개인정보수집에 대한 내용을 읽었으며 이에 동의합니다.</label>
--- a/theme/basic/skin/member/basic/login.skin.php
+++ b/theme/basic/skin/member/basic/login.skin.php
@ -53,7 +53,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
        </p>

        <div id="guest_privacy">
-            <?php echo $default['de_guest_privacy']; ?>
+            <?php echo conv_content($default['de_guest_privacy'], $config['cf_editor']); ?>
        </div>

        <label for="agree">개인정보수집에 대한 내용을 읽었으며 이에 동의합니다.</label>