쇼핑몰 관리자 CSRF 취약점 수정

adm/shop_admin/bannerformupdate.php

@@ -9,6 +9,8 @@ if ($W == 'd')
 else
     auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 @mkdir(G5_DATA_PATH."/banner", G5_DIR_PERMISSION);
 @chmod(G5_DATA_PATH."/banner", G5_DIR_PERMISSION);
 

adm/shop_admin/bannerlist.php

@@ -100,7 +100,7 @@ $from_record = ($page - 1) * $rows; // 시작 열을 구함
         <td headers="th_hit" class="td_num"><?php echo $row['bn_hit']; ?></td>
         <td headers="th_mng" class="td_mngsmall">
             <a href="./bannerform.php?w=u&amp;bn_id=<?php echo $row['bn_id']; ?>">수정</a></li>
-            <a href="./bannerformupdate.php?w=d&amp;bn_id=<?php echo $row['bn_id']; ?>" onclick="return delete_confirm();">삭제</a>
+            <a href="./bannerformupdate.php?w=d&amp;bn_id=<?php echo $row['bn_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
         </td>
     </tr>
     <tr class="<?php echo $bg; ?>">

adm/shop_admin/categoryformupdate.php

@@ -19,6 +19,8 @@ if ($w == "u" || $w == "d")
 
 auth_check($auth[$sub_menu], "d");
 
+check_admin_token();
+
 if ($w == 'd' && $is_admin != 'super')
     alert("최고관리자만 분류를 삭제할 수 있습니다.");
 

adm/shop_admin/categorylist.php

@@ -137,7 +137,7 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
         $s_upd = '<a href="./categoryform.php?w=u&amp;ca_id='.$row['ca_id'].'&amp;'.$qstr.'"><span class="sound_only">'.get_text($row['ca_name']).' </span>수정</a> ';
 
         if ($is_admin == 'super')
-            $s_del = '<a href="./categoryformupdate.php?w=d&amp;ca_id='.$row['ca_id'].'&amp;'.$qstr.'" onclick="return delete_confirm();"><span class="sound_only">'.get_text($row['ca_name']).' </span>삭제</a> ';
+            $s_del = '<a href="./categoryformupdate.php?w=d&amp;ca_id='.$row['ca_id'].'&amp;'.$qstr.'" onclick="return delete_confirm(this);"><span class="sound_only">'.get_text($row['ca_name']).' </span>삭제</a> ';
 
         // 해당 분류에 속한 상품의 수
         $sql1 = " select COUNT(*) as cnt from {$g5['g5_shop_item_table']}

adm/shop_admin/categorylistupdate.php

@@ -6,6 +6,8 @@ check_demo();
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 for ($i=0; $i<count($_POST['ca_id']); $i++)
 {
     if ($_POST['ca_mb_id'][$i])

adm/shop_admin/configform.php

@@ -115,6 +115,7 @@ if(!isset($default['de_kakaopay_mid'])) {
 ?>
 
 <form name="fconfig" action="./configformupdate.php" onsubmit="return fconfig_check(this)" method="post" enctype="MULTIPART/FORM-DATA">
+<input type="hidden" name="token" value="">
 <section id="anc_scf_info">
     <h2 class="h2_frm">사업자정보</h2>
     <?php echo $pg_anchor; ?>

adm/shop_admin/configformupdate.php

@@ -6,6 +6,8 @@ check_demo();
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 // 대표전화번호 유효성 체크
 if(!check_vaild_callback($_POST['de_admin_company_tel']))
     alert('대표전화번호를 올바르게 입력해 주세요.');

adm/shop_admin/couponformupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 $_POST = array_map('trim', $_POST);
 
 if(!$_POST['cp_subject'])

adm/shop_admin/couponlist.php

@@ -4,8 +4,6 @@ include_once('./_common.php');
 
 auth_check($auth[$sub_menu], "r");
 
-$token = get_token();
-
 $sql_common = " from {$g5['g5_shop_coupon_table']} ";
 
 $sql_search = " where (1) ";
@@ -77,7 +75,7 @@ $colspan = 9;
 <input type="hidden" name="sfl" value="<?php echo $sfl; ?>">
 <input type="hidden" name="stx" value="<?php echo $stx; ?>">
 <input type="hidden" name="page" value="<?php echo $page; ?>">
-<input type="hidden" name="token" value="<?php echo $token; ?>">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_head01 tbl_wrap">
     <table>

adm/shop_admin/couponlist_delete.php

@@ -6,7 +6,7 @@ check_demo();
 
 auth_check($auth[$sub_menu], 'd');
 
-check_token();
+check_admin_token();
 
 $count = count($_POST['chk']);
 if(!$count)

adm/shop_admin/itemcopy.php

@@ -25,6 +25,8 @@ include_once(G5_PATH.'/head.sub.php');
     </form>
 </div>
 
+<script src="<?php echo G5_ADMIN_URL ?>/admin.js"></script>
+
 <script>
 // <![CDATA[
 function _copy(link)
@@ -35,7 +37,12 @@ function _copy(link)
         alert("상품코드는 영문자, 숫자, -, _ 만 사용할 수 있습니다.");
         return false;
     }
-    opener.parent.location.href = encodeURI(link+'&new_it_id='+new_it_id);
+    var token = get_ajax_token();
+    if(!token) {
+        alert("토큰 정보가 올바르지 않습니다.");
+        return false;
+    }
+    opener.parent.location.href = encodeURI(link+'&new_it_id='+new_it_id+"&token="+token);
     self.close();
 }
 // ]]>

adm/shop_admin/itemcopyupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 if ($is_admin != "super")
     alert("최고관리자만 접근 가능합니다.");
 

adm/shop_admin/itemevent.php

@@ -62,7 +62,7 @@ $result = sql_query($sql);
         <td class="td_mng">
             <a href="./itemeventform.php?w=u&amp;ev_id=<?php echo $row['ev_id']; ?>">수정</a>
             <a href="<?php echo G5_SHOP_URL; ?>/event.php?ev_id=<?php echo $row['ev_id']; ?>">보기</a>
-            <a href="./itemeventformupdate.php?w=d&amp;ev_id=<?php echo $row['ev_id']; ?>" onclick="return delete_confirm();">삭제</a>
+            <a href="./itemeventformupdate.php?w=d&amp;ev_id=<?php echo $row['ev_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
         </td>
     </tr>
 

adm/shop_admin/itemeventformupdate.php

@@ -10,6 +10,8 @@ if ($w == 'd')
 else
     auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 @mkdir(G5_DATA_PATH."/event", G5_DIR_PERMISSION);
 @chmod(G5_DATA_PATH."/event", G5_DIR_PERMISSION);
 

adm/shop_admin/itemformupdate.php

@@ -10,6 +10,8 @@ if ($w == '' || $w == 'u')
 else if ($w == 'd')
     auth_check($auth[$sub_menu], "d");
 
+check_admin_token();
+
 @mkdir(G5_DATA_PATH."/item", G5_DIR_PERMISSION);
 @chmod(G5_DATA_PATH."/item", G5_DIR_PERMISSION);
 

adm/shop_admin/itemlistupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 check_demo();
 
+check_admin_token();
+
 if (!count($_POST['chk'])) {
     alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }

adm/shop_admin/itemqaformupdate.php

@@ -9,6 +9,8 @@ if ($w == 'd')
 else
     auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 if ($w == "u")
 {
     $sql = "update {$g5['g5_shop_item_qa_table']}

adm/shop_admin/itemqalistupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 check_demo();
 
+check_admin_token();
+
 if (!count($_POST['chk'])) {
     alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }

adm/shop_admin/itemstocklistupdate.php

@@ -6,6 +6,8 @@ check_demo();
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 // 재고 일괄수정
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {

adm/shop_admin/itemstocksmsupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 check_demo();
 
+check_admin_token();
+
 if (!count($_POST['chk'])) {
     alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }

adm/shop_admin/itemtypelistupdate.php

@@ -6,6 +6,8 @@ check_demo();
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
     $sql = "update {$g5['g5_shop_item_table']}

adm/shop_admin/itemuseformupdate.php

@@ -9,6 +9,8 @@ if ($w == 'd')
 else
     auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 if ($w == "u")
 {
     $sql = "update {$g5['g5_shop_item_use_table']}

adm/shop_admin/itemuselistupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 check_demo();
 
+check_admin_token();
+
 if (!count($_POST['chk'])) {
     alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }
@@ -16,19 +18,19 @@ if ($_POST['act_button'] == "선택수정") {
     alert("선택수정이나 선택삭제 작업이 아닙니다.");
 }
 
-for ($i=0; $i<count($_POST['chk']); $i++) 
+for ($i=0; $i<count($_POST['chk']); $i++)
 {
     $k = $_POST['chk'][$i]; // 실제 번호를 넘김
-    
-    if ($_POST['act_button'] == "선택수정") 
+
+    if ($_POST['act_button'] == "선택수정")
     {
         $sql = "update {$g5['g5_shop_item_use_table']}
                    set is_score   = '{$_POST['is_score'][$k]}',
                        is_confirm = '{$_POST['is_confirm'][$k]}'
                  where is_id      = '{$_POST['is_id'][$k]}' ";
         sql_query($sql);
-    } 
-    else if ($_POST['act_button'] == "선택삭제") 
+    }
+    else if ($_POST['act_button'] == "선택삭제")
     {
         $sql = "delete from {$g5['g5_shop_item_use_table']} where is_id = '{$_POST['is_id'][$k]}' ";
         sql_query($sql);

adm/shop_admin/optionstocklistupdate.php

@@ -6,6 +6,8 @@ check_demo();
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 // 재고 일괄수정
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {

adm/shop_admin/orderformcartupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 $ct_chk_count = count($_POST['ct_chk']);
 if(!$ct_chk_count)
     alert('처리할 자료를 하나 이상 선택해 주십시오.');

adm/shop_admin/orderformreceiptupdate.php

@@ -6,6 +6,8 @@ include_once(G5_LIB_PATH.'/mailer.lib.php');
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 $sql = " select * from {$g5['g5_shop_order_table']} where od_id = '$od_id' ";
 $od  = sql_fetch($sql);
 if(!$od['od_id'])

adm/shop_admin/orderformupdate.php

@@ -2,6 +2,8 @@
 $sub_menu = '400400';
 include_once('./_common.php');
 
+check_admin_token();
+
 if($_POST['mod_type'] == 'info') {
     $od_zip1   = substr($_POST['od_zip'], 0, 3);
     $od_zip2   = substr($_POST['od_zip'], 3);

adm/shop_admin/orderlistdelete.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 
 //print_r2($_POST); exit;
 
+check_admin_token();
+
 for ($i=0; $i<count($_POST['chk']); $i++)
 {
     // 실제 번호를 넘김

adm/shop_admin/orderlistupdate.php

@@ -4,6 +4,8 @@ include_once('./_common.php');
 include_once('./admin.shop.lib.php');
 include_once(G5_LIB_PATH.'/mailer.lib.php');
 
+check_admin_token();
+
 define("_ORDERMAIL_", true);
 
 //print_r2($_POST); exit;

adm/shop_admin/personalpayform.php

@@ -127,7 +127,7 @@ if(!sql_query(" select pp_cash from {$g5['g5_shop_personalpay_table']} limit 1 "
         <a href="./personalpaylist.php?<?php echo $qstr; ?>">목록</a>
         <?php } ?>
         <?php if($w == 'u') { ?>
-        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return del_confirm();">삭제</a>
+        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
         <?php } ?>
     </div>
 
@@ -255,7 +255,7 @@ if(!sql_query(" select pp_cash from {$g5['g5_shop_personalpay_table']} limit 1 "
         <a href="./personalpaylist.php?<?php echo $qstr; ?>">목록</a>
         <?php } ?>
         <?php if($w == 'u') { ?>
-        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return del_confirm();">삭제</a>
+        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
         <?php } ?>
     </div>
     <?php } ?>
@@ -273,11 +273,6 @@ function form_check(f)
 
     return true;
 }
-
-function del_confirm()
-{
-    return confirm("개인결제 정보를 삭제하시겠습니까?\n\n삭제한 정보는 복구할 수 없습니다.");
-}
 </script>
 
 <?php

adm/shop_admin/personalpayformupdate.php

@@ -2,6 +2,8 @@
 $sub_menu = '400440';
 include_once('./_common.php');
 
+check_admin_token();
+
 if($w == 'd') {
     auth_check($auth[$sub_menu], 'd');
 

adm/shop_admin/personalpaylist.php

@@ -4,8 +4,6 @@ include_once('./_common.php');
 
 auth_check($auth[$sub_menu], "r");
 
-$token = get_token();
-
 $sql_common = " from {$g5['g5_shop_personalpay_table']} ";
 
 $sql_search = " where (1) ";
@@ -81,7 +79,7 @@ $colspan = 10;
 <input type="hidden" name="sfl" value="<?php echo $sfl; ?>">
 <input type="hidden" name="stx" value="<?php echo $stx; ?>">
 <input type="hidden" name="page" value="<?php echo $page; ?>">
-<input type="hidden" name="token" value="<?php echo $token; ?>">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_head01 tbl_wrap">
     <table>

adm/shop_admin/sendcostlist.php

@@ -4,8 +4,6 @@ include_once('./_common.php');
 
 auth_check($auth[$sub_menu], "r");
 
-$token = get_token();
-
 $sql_common = " from {$g5['g5_shop_sendcost_table']} ";
 
 $sql_search = " where (1) ";
@@ -40,7 +38,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
     <form name="fsendcost" id="fsendcost" method="post" action="./sendcostupdate.php" onsubmit="return fsendcost_submit(this);">
     <input type="hidden" name="w" value="d">
     <input type="hidden" name="page" value="<?php echo $page; ?>">
-    <input type="hidden" name="token" value="<?php echo $token; ?>">
+    <input type="hidden" name="token" value="">
     <div class="tbl_head01 tbl_wrap">
         <table>
         <caption>추가배송비 내역</caption>
@@ -92,7 +90,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
     <h2 class="h2_frm">추가배송비 등록</h2>
 
     <form name="fsendcost2" method="post" id="fsendcost2" action="./sendcostupdate.php" autocomplete="off">
-    <input type="hidden" name="token" value="<?php echo $token; ?>">
+    <input type="hidden" name="token" value="">
 
     <div class="tbl_frm01 tbl_wrap">
         <table>

adm/shop_admin/sendcostupdate.php

@@ -6,6 +6,8 @@ check_demo();
 
 auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 $w = $_POST['w'];
 
 if($w == 'd') {