KVE-2019-1045 그누보드 XSS, RCE 취약점 수정

2019-06-13 14:55:25 +09:00
parent a1dbe22063
commit a6d851e174
2 changed files with 16 additions and 6 deletions
--- a/adm/menu_list_update.php
+++ b/adm/menu_list_update.php
@ -20,9 +20,11 @@ $count = count($_POST['code']);
 for ($i=0; $i<$count; $i++)
 {
    $_POST = array_map_deep('trim', $_POST);
+    
+    $_POST['me_link'][$i] = is_array($_POST['me_link']) ? clean_xss_tags($_POST['me_link'][$i], 1) : '';

-    $code    = strip_tags($_POST['code'][$i]);
-    $me_name = strip_tags($_POST['me_name'][$i]);
+    $code    = is_array($_POST['code']) ? strip_tags($_POST['code'][$i]) : '';
+    $me_name = is_array($_POST['me_name']) ? strip_tags($_POST['me_name'][$i]) : '';
    $me_link = (preg_match('/^javascript/i', $_POST['me_link'][$i]) || preg_match('/script:/i', $_POST['me_link'][$i])) ? G5_URL : strip_tags($_POST['me_link'][$i]);
    
    if(!$code || !$me_name || !$me_link)
@ -56,9 +58,9 @@ for ($i=0; $i<$count; $i++)

    // 메뉴 등록
    $sql = " insert into {$g5['menu_table']}
-                set me_code         = '$me_code',
-                    me_name         = '$me_name',
-                    me_link         = '$me_link',
+                set me_code         = '".$me_code."',
+                    me_name         = '".$me_name."',
+                    me_link         = '".$me_link."',
                    me_target       = '".sql_real_escape_string(strip_tags($_POST['me_target'][$i]))."',
                    me_order        = '".sql_real_escape_string(strip_tags($_POST['me_order'][$i]))."',
                    me_use          = '".sql_real_escape_string(strip_tags($_POST['me_use'][$i]))."',
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -3501,6 +3501,11 @@ function get_call_func_cache($func, $args=array()){
 function is_include_path_check($path='', $is_input='')
 {
    if( $path ){
+
+        if( strlen($path) > 255 ){
+            return false;
+        }
+
        if ($is_input){
            // 장태진 @jtjisgod <jtjisgod@gmail.com> 추가
            // 보안 목적 : rar wrapper 차단
@ -3559,11 +3564,14 @@ function is_include_path_check($path='', $is_input='')
            if( (preg_match('/\.\.\//i', $replace_path) || preg_match('/^\/.*/i', $replace_path)) && preg_match('/plugin\//i', $replace_path) && preg_match('/okname\//i', $replace_path) ){
                return false;
            }
+            if( substr_count($replace_path, './') > 5 ){
+                return false;
+            }
        }

        $extension = pathinfo($path, PATHINFO_EXTENSION);
        
-        if($extension && preg_match('/(jpg|jpeg|png|gif|bmp|conf)$/i', $extension)) {
+        if($extension && preg_match('/(jpg|jpeg|png|gif|bmp|conf|php\-x)$/i', $extension)) {
            return false;
        }
    }