firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

[KVE-2020-1276,1546] CSRF 취약점 제보로 1:1 문의 토큰 체크 코드 추가

Browse Source
This commit is contained in:
thisgun
2021-01-04 17:47:14 +09:00
parent 83b4c80964
commit a7fa3a20fc
14 changed files with 122 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
bbs/ajax.write.token.php Normal file
View File

@ -0,0 +1,11 @@
<?php
include_once('./_common.php');
include_once(G5_LIB_PATH.'/json.lib.php');
$token_case = isset($_POST['token_case']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['token_case']) : '';
if( $token_case ){
$token = _token();
set_session('ss_'.$token_case.'_token', $token);
die(json_encode(array('error'=>'', 'token'=>$token, 'url'=>'')));
}

6
bbs/qadelete.php
View File

@ -4,11 +4,13 @@ include_once('./_common.php');
if($is_guest)
alert('회원이시라면 로그인 후 이용해 주십시오.', G5_URL);
$token = isset($_REQUEST['token']) ? $_REQUEST['token'] : '';
$delete_token = get_session('ss_qa_delete_token');
set_session('ss_qa_delete_token', '');
//관리자가 아닌경우에는 토큰을 검사합니다.
if (!$is_admin && !($token && $delete_token == $token))
//모든 회원의 토큰을 검사합니다.
if (!($token && $delete_token === $token))
alert('토큰 에러로 삭제 불가합니다.');
$tmp_array = array();

7
bbs/qalist.php
View File

@ -6,6 +6,12 @@ if($is_guest)
$qaconfig = get_qa_config();
$token = '';
if( $is_admin ){
$token = _token();
set_session('ss_qa_delete_token', $token);
}
$g5['title'] = $qaconfig['qa_title'];
include_once('./qahead.php');
@ -13,6 +19,7 @@ $skin_file = $qa_skin_path.'/list.skin.php';
$is_auth = $is_admin ? true : false;
$category_option = '';
if ($qaconfig['qa_category']) {
$category_href = G5_BBS_URL.'/qalist.php';

7
bbs/qaview.php
View File

@ -10,6 +10,9 @@ if($is_guest)
$qaconfig = get_qa_config();
$content = '';
$token = _token();
set_session('ss_qa_delete_token', $token);
$g5['title'] = $qaconfig['qa_title'];
include_once('./qahead.php');
@ -110,9 +113,9 @@ if(is_file($skin_file)) {
$update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
}
*/
if(($view['qa_type'] && $is_admin) || (!$view['qa_type'] && $view['qa_status'] == 0)) {
$update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
set_session('ss_qa_delete_token', $token = uniqid(time()));
$delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$view['qa_id'].'&amp;token='.$token.$qstr;
}
@ -129,7 +132,7 @@ if(is_file($skin_file)) {
if($is_admin) {
$answer_update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$answer['qa_id'].$qstr;
$answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].$qstr;
$answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].'&amp;token='.$token.$qstr;
}
}

2
bbs/qawrite.php
View File

@ -13,6 +13,8 @@ if($is_guest)
alert('회원이시라면 로그인 후 이용해 보십시오.', './login.php?url='.urlencode(G5_BBS_URL.'/qalist.php'));
$qaconfig = get_qa_config();
$token = _token();
set_session('ss_qa_write_token', $token);
$g5['title'] = $qaconfig['qa_title'];
include_once('./qahead.php');

9
bbs/qawrite_update.php
View File

@ -12,6 +12,15 @@ if($is_guest)
$msg = array();
$write_token = get_session('ss_qa_write_token');
set_session('ss_qa_write_token', '');
$token = isset($_POST['token']) ? clean_xss_tags($_POST['token'], 1, 1) : '';
//모든 회원의 토큰을 검사합니다.
if (!($token && $write_token === $token))
alert('토큰 에러로 삭제 불가합니다.');
// 1:1문의 설정값
$qaconfig = get_qa_config();
$qa_id = isset($_POST['qa_id']) ? (int) $_POST['qa_id'] : 0;

1
mobile/skin/qa/basic/list.skin.php
View File

@ -45,6 +45,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="stx" value="<?php echo $stx; ?>">
<input type="hidden" name="sca" value="<?php echo $sca; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="token" value="<?php echo get_text($token); ?>">
<?php if ($is_checkbox) { ?>
<div class="all_chk chk_box">

20
mobile/skin/qa/basic/write.skin.php
View File

@ -13,6 +13,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="sca" value="<?php echo $sca ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<?php
$option = '';
$option_hidden = '';
@ -173,6 +174,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
}
<?php } ?>
$.ajax({
type: "POST",
url: g5_bbs_url+"/ajax.write.token.php",
data: { 'token_case' : 'qa_write' },
cache: false,
async: false,
dataType: "json",
success: function(data) {
if (typeof data.token !== "undefined") {
token = data.token;
if(typeof f.token === "undefined")
$(f).prepend('<input type="hidden" name="token" value="">');
$(f).find("input[name=token]").val(token);
}
}
});
document.getElementById("btn_submit").disabled = "disabled";
return true;

1
skin/qa/basic/list.skin.php
View File

@ -72,6 +72,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="stx" value="<?php echo $stx; ?>">
<input type="hidden" name="sca" value="<?php echo $sca; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="token" value="<?php echo get_text($token); ?>">
<div class="tbl_head01 tbl_wrap">
<table>

20
skin/qa/basic/write.skin.php
View File

@ -14,6 +14,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="sca" value="<?php echo $sca ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<?php
$option = '';
$option_hidden = '';
@ -166,6 +167,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
}
<?php } ?>
$.ajax({
type: "POST",
url: g5_bbs_url+"/ajax.write.token.php",
data: { 'token_case' : 'qa_write' },
cache: false,
async: false,
dataType: "json",
success: function(data) {
if (typeof data.token !== "undefined") {
token = data.token;
if(typeof f.token === "undefined")
$(f).prepend('<input type="hidden" name="token" value="">');
$(f).find("input[name=token]").val(token);
}
}
});
document.getElementById("btn_submit").disabled = "disabled";
return true;

1
theme/basic/mobile/skin/qa/basic/list.skin.php
View File

@ -45,6 +45,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="stx" value="<?php echo $stx; ?>">
<input type="hidden" name="sca" value="<?php echo $sca; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="token" value="<?php echo get_text($token); ?>">
<?php if ($is_checkbox) { ?>
<div class="all_chk chk_box">

20
theme/basic/mobile/skin/qa/basic/write.skin.php
View File

@ -13,6 +13,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="sca" value="<?php echo $sca ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<?php
$option = '';
$option_hidden = '';
@ -173,6 +174,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
}
<?php } ?>
$.ajax({
type: "POST",
url: g5_bbs_url+"/ajax.write.token.php",
data: { 'token_case' : 'qa_write' },
cache: false,
async: false,
dataType: "json",
success: function(data) {
if (typeof data.token !== "undefined") {
token = data.token;
if(typeof f.token === "undefined")
$(f).prepend('<input type="hidden" name="token" value="">');
$(f).find("input[name=token]").val(token);
}
}
});
document.getElementById("btn_submit").disabled = "disabled";
return true;

1
theme/basic/skin/qa/basic/list.skin.php
View File

@ -72,6 +72,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="stx" value="<?php echo $stx; ?>">
<input type="hidden" name="sca" value="<?php echo $sca; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="token" value="<?php echo get_text($token); ?>">
<div class="tbl_head01 tbl_wrap">
<table>

20
theme/basic/skin/qa/basic/write.skin.php
View File

@ -14,6 +14,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
<input type="hidden" name="sca" value="<?php echo $sca ?>">
<input type="hidden" name="stx" value="<?php echo $stx ?>">
<input type="hidden" name="page" value="<?php echo $page ?>">
<input type="hidden" name="token" value="<?php echo $token ?>">
<?php
$option = '';
$option_hidden = '';
@ -166,6 +167,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
}
<?php } ?>
$.ajax({
type: "POST",
url: g5_bbs_url+"/ajax.write.token.php",
data: { 'token_case' : 'qa_write' },
cache: false,
async: false,
dataType: "json",
success: function(data) {
if (typeof data.token !== "undefined") {
token = data.token;
if(typeof f.token === "undefined")
$(f).prepend('<input type="hidden" name="token" value="">');
$(f).find("input[name=token]").val(token);
}
}
});
document.getElementById("btn_submit").disabled = "disabled";
return true;