KVE-0994,0995,1014 취약점 수정

adm/contentform.php

@@ -35,6 +35,7 @@ if(!sql_query(" select co_skin from {$g5['content_table']} limit 1 ", false)) {
 
 $html_title = "내용";
 $g5['title'] = $html_title.' 관리';
+$readonly = '';
 
 if ($w == "u")
 {

adm/visit_list.php

@@ -73,7 +73,7 @@ $result = sql_query($sql);
             }
 
             $title = str_replace(array('<', '>', '&'), array("&lt;", "&gt;", "&amp;"), $referer);
-            $link = '<a href="'.$row['vi_referer'].'" target="_blank">';
+            $link = '<a href="'.get_text($row['vi_referer']).'" target="_blank">';
             $link = str_replace('&', "&amp;", $link);
             $link2 = '</a>';
         }

adm/visit_search.php

@@ -92,7 +92,7 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'">처음</a>'; //페이지 처
             }
 
             $title = str_replace(array("<", ">"), array("&lt;", "&gt;"), $referer);
-            $link = '<a href="'.$row['vi_referer'].'" target="_blank" title="'.$title.'">';
+            $link = '<a href="'.get_text($row['vi_referer']).'" target="_blank" title="'.$title.'">';
         }
 
         if ($is_admin == 'super')

bbs/alert.php

@@ -31,8 +31,8 @@ include_once(G5_PATH.'/head.sub.php');
 $msg = isset($msg) ? strip_tags($msg) : '';
 $msg2 = str_replace("\\n", "<br>", $msg);
 
-$url = clean_xss_tags($url);
-if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);
+$url = clean_xss_tags($url, 1);
+if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER'], 1);
 
 $url = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", $url);
 $url = preg_replace('/\r\n|\r|\n|[^\x20-\x7e]/','', $url);

bbs/confirm.php

@@ -5,11 +5,11 @@ include_once(G5_PATH.'/head.sub.php');
 $pattern1 = "/[\<\>\'\"\\\'\\\"\(\)]/";
 $pattern2 = "/\r\n|\r|\n|[^\x20-\x7e]/";
 
-$url1 = preg_replace($pattern1, "", clean_xss_tags($url1));
+$url1 = preg_replace($pattern1, "", clean_xss_tags($url1, 1));
 $url1 = preg_replace($pattern2, "", $url1);
-$url2 = preg_replace($pattern1, "", clean_xss_tags($url2));
+$url2 = preg_replace($pattern1, "", clean_xss_tags($url2, 1));
 $url2 = preg_replace($pattern2, "", $url2);
-$url3 = preg_replace($pattern1, "", clean_xss_tags($url3));
+$url3 = preg_replace($pattern1, "", clean_xss_tags($url3, 1));
 $url3 = preg_replace($pattern2, "", $url3);
 
 // url 체크
@@ -31,12 +31,12 @@ if (confirm(conf)) {
 <article id="confirm_check">
 <header>
     <hgroup>
-        <h1><?php echo $header; ?></h1> <!-- 수행 중이던 작업 내용 -->
+        <h1><?php echo get_text(strip_tags($header)); ?></h1> <!-- 수행 중이던 작업 내용 -->
         <h2>아래 내용을 확인해 주세요.</h2>
     </hgroup>
 </header>
 <p>
-    <?php echo $msg; ?>
+    <?php echo get_text(strip_tags($msg)); ?>
 </p>
 
 <a href="<?php echo $url1; ?>">확인</a>

bbs/visit_insert.inc.php

@@ -13,8 +13,8 @@ if (get_cookie('ck_visit_ip') != $_SERVER['REMOTE_ADDR'])
     $remote_addr = escape_trim($_SERVER['REMOTE_ADDR']);
     $referer = "";
     if (isset($_SERVER['HTTP_REFERER']))
-        $referer = escape_trim(clean_xss_tags($_SERVER['HTTP_REFERER']));
-    $user_agent  = escape_trim(clean_xss_tags($_SERVER['HTTP_USER_AGENT']));
+        $referer = escape_trim(clean_xss_tags(strip_tags($_SERVER['HTTP_REFERER'])));
+    $user_agent  = escape_trim(clean_xss_tags(strip_tags($_SERVER['HTTP_USER_AGENT'])));
     $vi_browser = '';
     $vi_os = '';
     $vi_device = '';

lib/common.lib.php

@@ -2887,13 +2887,17 @@ function get_search_string($stx)
 }
 
 // XSS 관련 태그 제거
-function clean_xss_tags($str)
+function clean_xss_tags($str, $check_entities=0)
 {
     $str_len = strlen($str);
     
     $i = 0;
     while($i <= $str_len){
         $result = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $str);
+        
+        if( $check_entities ){
+            $result = str_replace(array('&colon;', '&lpar;', '&rpar;', '&NewLine;', '&Tab;'), '', $result);
+        }
 
         if((string)$result === (string)$str) break;