XSS 취약점, 새 우편번호, 기타 오류 수정

bbs/alert.php

@@ -30,7 +30,8 @@ include_once(G5_PATH.'/head.sub.php');
 
 $msg2 = str_replace("\\n", "<br>", $msg);
 
-if (!$url) $url = $_SERVER['HTTP_REFERER'];
+$url = clean_xss_tags($url);
+if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);
 
 // url 체크
 check_url_host($url);

bbs/confirm.php

@@ -2,6 +2,10 @@
 include_once('./_common.php');
 include_once(G5_PATH.'/head.sub.php');
 
+$url1 = clean_xss_tags($url1);
+$url2 = clean_xss_tags($url2);
+$url3 = clean_xss_tags($url3);
+
 // url 체크
 check_url_host($url1);
 check_url_host($url2);

bbs/move.php

@@ -55,7 +55,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
     <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="act" value="<?php echo $act ?>">
-    <input type="hidden" name="url" value="<?php echo $_SERVER['HTTP_REFERER'] ?>">
+    <input type="hidden" name="url" value="<?php echo clean_xss_tags($_SERVER['HTTP_REFERER']); ?>">
 
     <div class="tbl_head01 tbl_wrap">
         <table>

bbs/new.php

@@ -17,6 +17,8 @@ if ($view == "w")
     $sql_common .= " and a.wr_id = a.wr_parent ";
 else if ($view == "c")
     $sql_common .= " and a.wr_id <> a.wr_parent ";
+else
+    $view = '';
 
 $mb_id = isset($_GET['mb_id']) ? ($_GET['mb_id']) : '';
 $mb_id = substr(preg_replace('#[^a-z0-9_]#i', '', $mb_id), 0, 20);

bbs/newwin.inc.php

@@ -13,14 +13,11 @@ $result = sql_query($sql, false);
     <h2>팝업레이어 알림</h2>
 
 <?php
-for ($i=0; $row_nw=sql_fetch_array($result); $i++)
+for ($i=0; $nw=sql_fetch_array($result); $i++)
 {
     // 이미 체크 되었다면 Continue
-    if ($_COOKIE["hd_pops_{$row_nw['nw_id']}"])
+    if ($_COOKIE["hd_pops_{$nw['nw_id']}"])
         continue;
-
-    $sql = " select * from {$g5['new_win_table']} where nw_id = '{$row_nw['nw_id']}' ";
-    $nw = sql_fetch($sql);
 ?>
 
     <div id="hd_pops_<?php echo $nw['nw_id'] ?>" class="hd_pops" style="top:<?php echo $nw['nw_top']?>px;left:<?php echo $nw['nw_left']?>px">

bbs/register_email.php

@@ -2,27 +2,28 @@
 include_once('./_common.php');
 include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
+$g5['title'] = '메일인증 메일주소 변경';
+include_once('./_head.php');
+
+$mb_id = substr(clean_xss_tags($_GET['mb_id']), 0, 20);
 $sql = " select mb_email, mb_datetime, mb_email_certify from {$g5['member_table']} where mb_id = '{$mb_id}' ";
 $mb = sql_fetch($sql);
 if (substr($mb['mb_email_certify'],0,1)!=0) {
     alert("이미 메일인증 하신 회원입니다.", G5_URL);
 }
-
-$g5['title'] = '메일인증 메일주소 변경';
-include_once('./_head.php');
 ?>
 
-<p>메일인증을 받지 못한 경우 회원정보의 메일주소를 변경 할 수 있습니다.</p>
+<p class="rg_em_p">메일인증을 받지 못한 경우 회원정보의 메일주소를 변경 할 수 있습니다.</p>
 
 <form method="post" name="fregister_email" action="<?php echo G5_HTTPS_BBS_URL.'/register_email_update.php'; ?>" onsubmit="return fregister_email_submit(this);">
 <input type="hidden" name="mb_id" value="<?php echo $mb_id; ?>">
 
-<div class="tbl_frm01 tbl_frm">
+<div class="tbl_frm01 tbl_frm rg_em">
     <table>
     <caption>사이트 이용정보 입력</caption>
     <tr>
         <th scope="row"><label for="reg_mb_email">E-mail<strong class="sound_only">필수</strong></label></th>
-        <td><input type="text" name="mb_email" id="reg_mb_email" required class="frm_input email required" size="50" maxlength="100" value="<?php echo $mb['mb_email']; ?>"></td>
+        <td><input type="text" name="mb_email" id="reg_mb_email" required class="frm_input email required" size="30" maxlength="100" value="<?php echo $mb['mb_email']; ?>"></td>
     </tr>
     <tr>
         <th scope="row">자동등록방지</th>

bbs/register_email_update.php

@@ -8,7 +8,7 @@ $mb_email = trim($_POST['mb_email']);
 
 $sql = " select mb_name, mb_datetime from {$g5['member_table']} where mb_id = '{$mb_id}' and mb_email_certify <> '' ";
 $mb = sql_fetch($sql);
-if (!$mb) {
+if ($mb) {
     alert("이미 메일인증 하신 회원입니다.", G5_URL);
 }
 

bbs/register_form.php

@@ -115,6 +115,9 @@ $req_nick = !isset($member['mb_nick_date']) || (isset($member['mb_nick_date']) &
 $required = ($w=='') ? 'required' : '';
 $readonly = ($w=='u') ? 'readonly' : '';
 
+$agree  = preg_replace('#[^0-9]#', '', $agree);
+$agree2 = preg_replace('#[^0-9]#', '', $agree2);
+
 // add_javascript('js 구문', 출력순서); 숫자가 작을 수록 먼저 출력됨
 if ($config['cf_use_addr'])
     add_javascript(G5_POSTCODE_JS, 0);    //다음 주소 js

bbs/register_form_update.php

@@ -40,8 +40,8 @@ $mb_birth       = isset($_POST['mb_birth'])         ? trim($_POST['mb_birth'])
 $mb_homepage    = isset($_POST['mb_homepage'])      ? trim($_POST['mb_homepage'])    : "";
 $mb_tel         = isset($_POST['mb_tel'])           ? trim($_POST['mb_tel'])         : "";
 $mb_hp          = isset($_POST['mb_hp'])            ? trim($_POST['mb_hp'])          : "";
-$mb_zip1        = isset($_POST['mb_zip1'])          ? trim($_POST['mb_zip1'])        : "";
-$mb_zip2        = isset($_POST['mb_zip2'])          ? trim($_POST['mb_zip2'])        : "";
+$mb_zip1        = isset($_POST['mb_zip'])           ? substr(trim($_POST['mb_zip']), 0, 3) : "";
+$mb_zip2        = isset($_POST['mb_zip'])           ? substr(trim($_POST['mb_zip']), 3)    : "";
 $mb_addr1       = isset($_POST['mb_addr1'])         ? trim($_POST['mb_addr1'])       : "";
 $mb_addr2       = isset($_POST['mb_addr2'])         ? trim($_POST['mb_addr2'])       : "";
 $mb_addr3       = isset($_POST['mb_addr3'])         ? trim($_POST['mb_addr3'])       : "";

bbs/search.php

@@ -17,7 +17,7 @@ if ($stx) {
     $stx = preg_replace('/\//', '\/', trim($stx));
     $sop = strtolower($sop);
     if (!$sop || !($sop == 'and' || $sop == 'or')) $sop = 'and'; // 연산자 and , or
-    $srows = isset($_GET['srows']) ? preg_replace('#[^0-9]#', '', $_GET['srows']) : 10;
+    $srows = isset($_GET['srows']) ? (int)preg_replace('#[^0-9]#', '', $_GET['srows']) : 10;
     if (!$srows) $srows = 10; // 한페이지에 출력하는 검색 행수
 
     $g5_search['tables'] = Array();