쇼핑몰 관리자 CSRF 취약점 수정

2015-11-24 14:43:42 +09:00
parent bfaa429721
commit a155f4d659
34 changed files with 72 additions and 27 deletions
--- a/adm/shop_admin/bannerformupdate.php
+++ b/adm/shop_admin/bannerformupdate.php
@ -9,6 +9,8 @@ if ($W == 'd')
 else
    auth_check($auth[$sub_menu], "w");
 check_admin_token();
@mkdir(G5_DATA_PATH."/banner", G5_DIR_PERMISSION);
@chmod(G5_DATA_PATH."/banner", G5_DIR_PERMISSION);
--- a/adm/shop_admin/bannerlist.php
+++ b/adm/shop_admin/bannerlist.php
@ -100,7 +100,7 @@ $from_record = ($page - 1) * $rows; // 시작 열을 구함
        <td headers="th_hit" class="td_num"><?php echo $row['bn_hit']; ?></td>
        <td headers="th_mng" class="td_mngsmall">
            <a href="./bannerform.php?w=u&amp;bn_id=<?php echo $row['bn_id']; ?>">수정</a></li>
-            <a href="./bannerformupdate.php?w=d&amp;bn_id=<?php echo $row['bn_id']; ?>" onclick="return delete_confirm();">삭제</a>
+            <a href="./bannerformupdate.php?w=d&amp;bn_id=<?php echo $row['bn_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
        </td>
    </tr>
    <tr class="<?php echo $bg; ?>">
--- a/adm/shop_admin/categoryformupdate.php
+++ b/adm/shop_admin/categoryformupdate.php
@ -19,6 +19,8 @@ if ($w == "u" || $w == "d")
 auth_check($auth[$sub_menu], "d");
 check_admin_token();
 if ($w == 'd' && $is_admin != 'super')
    alert("최고관리자만 분류를 삭제할 수 있습니다.");
--- a/adm/shop_admin/categorylist.php
+++ b/adm/shop_admin/categorylist.php
@ -137,7 +137,7 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
        $s_upd = '<a href="./categoryform.php?w=u&amp;ca_id='.$row['ca_id'].'&amp;'.$qstr.'"><span class="sound_only">'.get_text($row['ca_name']).' </span>수정</a> ';
        if ($is_admin == 'super')
-            $s_del = '<a href="./categoryformupdate.php?w=d&amp;ca_id='.$row['ca_id'].'&amp;'.$qstr.'" onclick="return delete_confirm();"><span class="sound_only">'.get_text($row['ca_name']).' </span>삭제</a> ';
+            $s_del = '<a href="./categoryformupdate.php?w=d&amp;ca_id='.$row['ca_id'].'&amp;'.$qstr.'" onclick="return delete_confirm(this);"><span class="sound_only">'.get_text($row['ca_name']).' </span>삭제</a> ';
        // 해당 분류에 속한 상품의 수
        $sql1 = " select COUNT(*) as cnt from {$g5['g5_shop_item_table']}
--- a/adm/shop_admin/categorylistupdate.php
+++ b/adm/shop_admin/categorylistupdate.php
@ -6,6 +6,8 @@ check_demo();
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 for ($i=0; $i<count($_POST['ca_id']); $i++)
 {
    if ($_POST['ca_mb_id'][$i])
--- a/adm/shop_admin/configform.php
+++ b/adm/shop_admin/configform.php
@ -115,6 +115,7 @@ if(!isset($default['de_kakaopay_mid'])) {
 ?>
 <form name="fconfig" action="./configformupdate.php" onsubmit="return fconfig_check(this)" method="post" enctype="MULTIPART/FORM-DATA">
 <input type="hidden" name="token" value="">
 <section id="anc_scf_info">
    <h2 class="h2_frm">사업자정보</h2>
    <?php echo $pg_anchor; ?>
--- a/adm/shop_admin/configformupdate.php
+++ b/adm/shop_admin/configformupdate.php
@ -6,6 +6,8 @@ check_demo();
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 // 대표전화번호 유효성 체크
 if(!check_vaild_callback($_POST['de_admin_company_tel']))
    alert('대표전화번호를 올바르게 입력해 주세요.');
--- a/adm/shop_admin/couponformupdate.php
+++ b/adm/shop_admin/couponformupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 $_POST = array_map('trim', $_POST);
 if(!$_POST['cp_subject'])
--- a/adm/shop_admin/couponlist.php
+++ b/adm/shop_admin/couponlist.php
@ -4,8 +4,6 @@ include_once('./_common.php');
 auth_check($auth[$sub_menu], "r");
 $token = get_token();
 $sql_common = " from {$g5['g5_shop_coupon_table']} ";
 $sql_search = " where (1) ";
@ -77,7 +75,7 @@ $colspan = 9;
 <input type="hidden" name="sfl" value="<?php echo $sfl; ?>">
 <input type="hidden" name="stx" value="<?php echo $stx; ?>">
 <input type="hidden" name="page" value="<?php echo $page; ?>">
-<input type="hidden" name="token" value="<?php echo $token; ?>">
+<input type="hidden" name="token" value="">
 <div class="tbl_head01 tbl_wrap">
    <table>
--- a/adm/shop_admin/couponlist_delete.php
+++ b/adm/shop_admin/couponlist_delete.php
@ -6,7 +6,7 @@ check_demo();
 auth_check($auth[$sub_menu], 'd');
-check_token();
+check_admin_token();
 $count = count($_POST['chk']);
 if(!$count)
--- a/adm/shop_admin/itemcopy.php
+++ b/adm/shop_admin/itemcopy.php
@ -25,6 +25,8 @@ include_once(G5_PATH.'/head.sub.php');
    </form>
 </div>
 <script src="<?php echo G5_ADMIN_URL ?>/admin.js"></script>
 <script>
 // <![CDATA[
 function _copy(link)
@ -35,7 +37,12 @@ function _copy(link)
        alert("상품코드는 영문자, 숫자, -, _ 만 사용할 수 있습니다.");
        return false;
    }
-    opener.parent.location.href = encodeURI(link+'&new_it_id='+new_it_id);
+    var token = get_ajax_token();
    if(!token) {
        alert("토큰 정보가 올바르지 않습니다.");
        return false;
    }
    opener.parent.location.href = encodeURI(link+'&new_it_id='+new_it_id+"&token="+token);
    self.close();
 }
 // ]]>
--- a/adm/shop_admin/itemcopyupdate.php
+++ b/adm/shop_admin/itemcopyupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 if ($is_admin != "super")
    alert("최고관리자만 접근 가능합니다.");
--- a/adm/shop_admin/itemevent.php
+++ b/adm/shop_admin/itemevent.php
@ -62,7 +62,7 @@ $result = sql_query($sql);
        <td class="td_mng">
            <a href="./itemeventform.php?w=u&amp;ev_id=<?php echo $row['ev_id']; ?>">수정</a>
            <a href="<?php echo G5_SHOP_URL; ?>/event.php?ev_id=<?php echo $row['ev_id']; ?>">보기</a>
-            <a href="./itemeventformupdate.php?w=d&amp;ev_id=<?php echo $row['ev_id']; ?>" onclick="return delete_confirm();">삭제</a>
+            <a href="./itemeventformupdate.php?w=d&amp;ev_id=<?php echo $row['ev_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
        </td>
    </tr>
--- a/adm/shop_admin/itemeventformupdate.php
+++ b/adm/shop_admin/itemeventformupdate.php
@ -10,6 +10,8 @@ if ($w == 'd')
 else
    auth_check($auth[$sub_menu], "w");
 check_admin_token();
@mkdir(G5_DATA_PATH."/event", G5_DIR_PERMISSION);
@chmod(G5_DATA_PATH."/event", G5_DIR_PERMISSION);
--- a/adm/shop_admin/itemformupdate.php
+++ b/adm/shop_admin/itemformupdate.php
@ -10,6 +10,8 @@ if ($w == '' || $w == 'u')
 else if ($w == 'd')
    auth_check($auth[$sub_menu], "d");
 check_admin_token();
@mkdir(G5_DATA_PATH."/item", G5_DIR_PERMISSION);
@chmod(G5_DATA_PATH."/item", G5_DIR_PERMISSION);
--- a/adm/shop_admin/itemlistupdate.php
+++ b/adm/shop_admin/itemlistupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 check_demo();
 check_admin_token();
 if (!count($_POST['chk'])) {
    alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }
--- a/adm/shop_admin/itemqaformupdate.php
+++ b/adm/shop_admin/itemqaformupdate.php
@ -9,6 +9,8 @@ if ($w == 'd')
 else
    auth_check($auth[$sub_menu], "w");
 check_admin_token();
 if ($w == "u")
 {
    $sql = "update {$g5['g5_shop_item_qa_table']}
--- a/adm/shop_admin/itemqalistupdate.php
+++ b/adm/shop_admin/itemqalistupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 check_demo();
 check_admin_token();
 if (!count($_POST['chk'])) {
    alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }
--- a/adm/shop_admin/itemstocklistupdate.php
+++ b/adm/shop_admin/itemstocklistupdate.php
@ -6,6 +6,8 @@ check_demo();
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 // 재고 일괄수정
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
--- a/adm/shop_admin/itemstocksmsupdate.php
+++ b/adm/shop_admin/itemstocksmsupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 check_demo();
 check_admin_token();
 if (!count($_POST['chk'])) {
    alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }
--- a/adm/shop_admin/itemtypelistupdate.php
+++ b/adm/shop_admin/itemtypelistupdate.php
@ -6,6 +6,8 @@ check_demo();
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
    $sql = "update {$g5['g5_shop_item_table']}
--- a/adm/shop_admin/itemuseformupdate.php
+++ b/adm/shop_admin/itemuseformupdate.php
@ -9,6 +9,8 @@ if ($w == 'd')
 else
    auth_check($auth[$sub_menu], "w");
 check_admin_token();
 if ($w == "u")
 {
    $sql = "update {$g5['g5_shop_item_use_table']}
--- a/adm/shop_admin/itemuselistupdate.php
+++ b/adm/shop_admin/itemuselistupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 check_demo();
 check_admin_token();
 if (!count($_POST['chk'])) {
    alert($_POST['act_button']." 하실 항목을 하나 이상 체크하세요.");
 }
@ -16,19 +18,19 @@ if ($_POST['act_button'] == "선택수정") {
    alert("선택수정이나 선택삭제 작업이 아닙니다.");
 }
-for ($i=0; $i<count($_POST['chk']); $i++) 
+for ($i=0; $i<count($_POST['chk']); $i++)
 {
    $k = $_POST['chk'][$i]; // 실제 번호를 넘김
-    
+
-    if ($_POST['act_button'] == "선택수정") 
+    if ($_POST['act_button'] == "선택수정")
    {
        $sql = "update {$g5['g5_shop_item_use_table']}
                   set is_score   = '{$_POST['is_score'][$k]}',
                       is_confirm = '{$_POST['is_confirm'][$k]}'
                 where is_id      = '{$_POST['is_id'][$k]}' ";
        sql_query($sql);
-    } 
+    }
-    else if ($_POST['act_button'] == "선택삭제") 
+    else if ($_POST['act_button'] == "선택삭제")
    {
        $sql = "delete from {$g5['g5_shop_item_use_table']} where is_id = '{$_POST['is_id'][$k]}' ";
        sql_query($sql);
--- a/adm/shop_admin/optionstocklistupdate.php
+++ b/adm/shop_admin/optionstocklistupdate.php
@ -6,6 +6,8 @@ check_demo();
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 // 재고 일괄수정
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
--- a/adm/shop_admin/orderformcartupdate.php
+++ b/adm/shop_admin/orderformcartupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 $ct_chk_count = count($_POST['ct_chk']);
 if(!$ct_chk_count)
    alert('처리할 자료를 하나 이상 선택해 주십시오.');
--- a/adm/shop_admin/orderformreceiptupdate.php
+++ b/adm/shop_admin/orderformreceiptupdate.php
@ -6,6 +6,8 @@ include_once(G5_LIB_PATH.'/mailer.lib.php');
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 $sql = " select * from {$g5['g5_shop_order_table']} where od_id = '$od_id' ";
 $od  = sql_fetch($sql);
 if(!$od['od_id'])
--- a/adm/shop_admin/orderformupdate.php
+++ b/adm/shop_admin/orderformupdate.php
@ -2,6 +2,8 @@
 $sub_menu = '400400';
 include_once('./_common.php');
 check_admin_token();
 if($_POST['mod_type'] == 'info') {
    $od_zip1   = substr($_POST['od_zip'], 0, 3);
    $od_zip2   = substr($_POST['od_zip'], 3);
--- a/adm/shop_admin/orderlistdelete.php
+++ b/adm/shop_admin/orderlistdelete.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 //print_r2($_POST); exit;
 check_admin_token();
 for ($i=0; $i<count($_POST['chk']); $i++)
 {
    // 실제 번호를 넘김
--- a/adm/shop_admin/orderlistupdate.php
+++ b/adm/shop_admin/orderlistupdate.php
@ -4,6 +4,8 @@ include_once('./_common.php');
 include_once('./admin.shop.lib.php');
 include_once(G5_LIB_PATH.'/mailer.lib.php');
 check_admin_token();
 define("_ORDERMAIL_", true);
 //print_r2($_POST); exit;
--- a/adm/shop_admin/personalpayform.php
+++ b/adm/shop_admin/personalpayform.php
@ -127,7 +127,7 @@ if(!sql_query(" select pp_cash from {$g5['g5_shop_personalpay_table']} limit 1 "
        <a href="./personalpaylist.php?<?php echo $qstr; ?>">목록</a>
        <?php } ?>
        <?php if($w == 'u') { ?>
-        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return del_confirm();">삭제</a>
+        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
        <?php } ?>
    </div>
@ -255,7 +255,7 @@ if(!sql_query(" select pp_cash from {$g5['g5_shop_personalpay_table']} limit 1 "
        <a href="./personalpaylist.php?<?php echo $qstr; ?>">목록</a>
        <?php } ?>
        <?php if($w == 'u') { ?>
-        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return del_confirm();">삭제</a>
+        <a href="./personalpayformupdate.php?w=d&amp;pp_id=<?php echo $pp['pp_id']; ?>" onclick="return delete_confirm(this);">삭제</a>
        <?php } ?>
    </div>
    <?php } ?>
@ -273,11 +273,6 @@ function form_check(f)
    return true;
 }
 function del_confirm()
 {
    return confirm("개인결제 정보를 삭제하시겠습니까?\n\n삭제한 정보는 복구할 수 없습니다.");
 }
 </script>
 <?php
--- a/adm/shop_admin/personalpayformupdate.php
+++ b/adm/shop_admin/personalpayformupdate.php
@ -2,6 +2,8 @@
 $sub_menu = '400440';
 include_once('./_common.php');
 check_admin_token();
 if($w == 'd') {
    auth_check($auth[$sub_menu], 'd');
--- a/adm/shop_admin/personalpaylist.php
+++ b/adm/shop_admin/personalpaylist.php
@ -4,8 +4,6 @@ include_once('./_common.php');
 auth_check($auth[$sub_menu], "r");
 $token = get_token();
 $sql_common = " from {$g5['g5_shop_personalpay_table']} ";
 $sql_search = " where (1) ";
@ -81,7 +79,7 @@ $colspan = 10;
 <input type="hidden" name="sfl" value="<?php echo $sfl; ?>">
 <input type="hidden" name="stx" value="<?php echo $stx; ?>">
 <input type="hidden" name="page" value="<?php echo $page; ?>">
-<input type="hidden" name="token" value="<?php echo $token; ?>">
+<input type="hidden" name="token" value="">
 <div class="tbl_head01 tbl_wrap">
    <table>
--- a/adm/shop_admin/sendcostlist.php
+++ b/adm/shop_admin/sendcostlist.php
@ -4,8 +4,6 @@ include_once('./_common.php');
 auth_check($auth[$sub_menu], "r");
 $token = get_token();
 $sql_common = " from {$g5['g5_shop_sendcost_table']} ";
 $sql_search = " where (1) ";
@ -40,7 +38,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
    <form name="fsendcost" id="fsendcost" method="post" action="./sendcostupdate.php" onsubmit="return fsendcost_submit(this);">
    <input type="hidden" name="w" value="d">
    <input type="hidden" name="page" value="<?php echo $page; ?>">
-    <input type="hidden" name="token" value="<?php echo $token; ?>">
+    <input type="hidden" name="token" value="">
    <div class="tbl_head01 tbl_wrap">
        <table>
        <caption>추가배송비 내역</caption>
@ -92,7 +90,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
    <h2 class="h2_frm">추가배송비 등록</h2>
    <form name="fsendcost2" method="post" id="fsendcost2" action="./sendcostupdate.php" autocomplete="off">
-    <input type="hidden" name="token" value="<?php echo $token; ?>">
+    <input type="hidden" name="token" value="">
    <div class="tbl_frm01 tbl_wrap">
        <table>
--- a/adm/shop_admin/sendcostupdate.php
+++ b/adm/shop_admin/sendcostupdate.php
@ -6,6 +6,8 @@ check_demo();
 auth_check($auth[$sub_menu], "w");
 check_admin_token();
 $w = $_POST['w'];
 if($w == 'd') {