From a7fa3a20fc09482442e16d79a464d905d900d021 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 4 Jan 2021 17:47:14 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2020-1276,1546]=20CSRF=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=A0=9C=EB=B3=B4=EB=A1=9C=20=201:1=20?=
 =?UTF-8?q?=EB=AC=B8=EC=9D=98=20=ED=86=A0=ED=81=B0=20=EC=B2=B4=ED=81=AC=20?=
 =?UTF-8?q?=EC=BD=94=EB=93=9C=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/ajax.write.token.php                      | 11 ++++++++++
 bbs/qadelete.php                              |  6 ++++--
 bbs/qalist.php                                |  7 +++++++
 bbs/qaview.php                                |  7 +++++--
 bbs/qawrite.php                               |  2 ++
 bbs/qawrite_update.php                        |  9 +++++++++
 mobile/skin/qa/basic/list.skin.php            |  1 +
 mobile/skin/qa/basic/write.skin.php           | 20 +++++++++++++++++++
 skin/qa/basic/list.skin.php                   |  1 +
 skin/qa/basic/write.skin.php                  | 20 +++++++++++++++++++
 .../basic/mobile/skin/qa/basic/list.skin.php  |  1 +
 .../basic/mobile/skin/qa/basic/write.skin.php | 20 +++++++++++++++++++
 theme/basic/skin/qa/basic/list.skin.php       |  1 +
 theme/basic/skin/qa/basic/write.skin.php      | 20 +++++++++++++++++++
 14 files changed, 122 insertions(+), 4 deletions(-)
 create mode 100644 bbs/ajax.write.token.php

diff --git a/bbs/ajax.write.token.php b/bbs/ajax.write.token.php
new file mode 100644
index 000000000..bc7b41dcc
--- /dev/null
+++ b/bbs/ajax.write.token.php
@@ -0,0 +1,11 @@
+<?php
+include_once('./_common.php');
+include_once(G5_LIB_PATH.'/json.lib.php');
+
+$token_case = isset($_POST['token_case']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['token_case']) : '';
+
+if( $token_case ){
+    $token = _token();
+    set_session('ss_'.$token_case.'_token', $token);
+    die(json_encode(array('error'=>'', 'token'=>$token, 'url'=>'')));
+}
\ No newline at end of file
diff --git a/bbs/qadelete.php b/bbs/qadelete.php
index fa6036f9e..2ac1b2e97 100644
--- a/bbs/qadelete.php
+++ b/bbs/qadelete.php
@@ -4,11 +4,13 @@ include_once('./_common.php');
 if($is_guest)
     alert('회원이시라면 로그인 후 이용해 주십시오.', G5_URL);
 
+$token = isset($_REQUEST['token']) ? $_REQUEST['token'] : '';
+
 $delete_token = get_session('ss_qa_delete_token');
 set_session('ss_qa_delete_token', '');
 
-//관리자가 아닌경우에는 토큰을 검사합니다.
-if (!$is_admin && !($token && $delete_token == $token))
+//모든 회원의 토큰을 검사합니다.
+if (!($token && $delete_token === $token))
     alert('토큰 에러로 삭제 불가합니다.');
 
 $tmp_array = array();
diff --git a/bbs/qalist.php b/bbs/qalist.php
index 6b8da8cfb..08fd0b175 100644
--- a/bbs/qalist.php
+++ b/bbs/qalist.php
@@ -6,6 +6,12 @@ if($is_guest)
 
 $qaconfig = get_qa_config();
 
+$token = '';
+if( $is_admin ){
+    $token = _token();
+    set_session('ss_qa_delete_token', $token);
+}
+
 $g5['title'] = $qaconfig['qa_title'];
 include_once('./qahead.php');
 
@@ -13,6 +19,7 @@ $skin_file = $qa_skin_path.'/list.skin.php';
 $is_auth = $is_admin ? true : false;
 
 $category_option = '';
+
 if ($qaconfig['qa_category']) {
     $category_href = G5_BBS_URL.'/qalist.php';
 
diff --git a/bbs/qaview.php b/bbs/qaview.php
index 7ff48b628..59543188f 100644
--- a/bbs/qaview.php
+++ b/bbs/qaview.php
@@ -10,6 +10,9 @@ if($is_guest)
 $qaconfig = get_qa_config();
 $content = '';
 
+$token = _token();
+set_session('ss_qa_delete_token', $token);
+
 $g5['title'] = $qaconfig['qa_title'];
 include_once('./qahead.php');
 
@@ -110,9 +113,9 @@ if(is_file($skin_file)) {
             $update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
     }
     */
+
     if(($view['qa_type'] && $is_admin) || (!$view['qa_type'] && $view['qa_status'] == 0)) {
         $update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
-        set_session('ss_qa_delete_token', $token = uniqid(time()));
         $delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$view['qa_id'].'&amp;token='.$token.$qstr;
     }
 
@@ -129,7 +132,7 @@ if(is_file($skin_file)) {
 
         if($is_admin) {
             $answer_update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$answer['qa_id'].$qstr;
-            $answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].$qstr;
+            $answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].'&amp;token='.$token.$qstr;
         }
     }
 
diff --git a/bbs/qawrite.php b/bbs/qawrite.php
index 86d65d037..fb041e0ad 100644
--- a/bbs/qawrite.php
+++ b/bbs/qawrite.php
@@ -13,6 +13,8 @@ if($is_guest)
     alert('회원이시라면 로그인 후 이용해 보십시오.', './login.php?url='.urlencode(G5_BBS_URL.'/qalist.php'));
 
 $qaconfig = get_qa_config();
+$token = _token();
+set_session('ss_qa_write_token', $token);
 
 $g5['title'] = $qaconfig['qa_title'];
 include_once('./qahead.php');
diff --git a/bbs/qawrite_update.php b/bbs/qawrite_update.php
index 9b4416cc7..7a74e6083 100644
--- a/bbs/qawrite_update.php
+++ b/bbs/qawrite_update.php
@@ -12,6 +12,15 @@ if($is_guest)
 
 $msg = array();
 
+$write_token = get_session('ss_qa_write_token');
+set_session('ss_qa_write_token', '');
+
+$token = isset($_POST['token']) ? clean_xss_tags($_POST['token'], 1, 1) : '';
+
+//모든 회원의 토큰을 검사합니다.
+if (!($token && $write_token === $token))
+    alert('토큰 에러로 삭제 불가합니다.');
+
 // 1:1문의 설정값
 $qaconfig = get_qa_config();
 $qa_id = isset($_POST['qa_id']) ? (int) $_POST['qa_id'] : 0;
diff --git a/mobile/skin/qa/basic/list.skin.php b/mobile/skin/qa/basic/list.skin.php
index 0bf98e366..7db40baf0 100644
--- a/mobile/skin/qa/basic/list.skin.php
+++ b/mobile/skin/qa/basic/list.skin.php
@@ -45,6 +45,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="stx" value="<?php echo $stx; ?>">
     <input type="hidden" name="sca" value="<?php echo $sca; ?>">
     <input type="hidden" name="page" value="<?php echo $page; ?>">
+    <input type="hidden" name="token" value="<?php echo get_text($token); ?>">
 
     <?php if ($is_checkbox) { ?>
     <div class="all_chk chk_box">
diff --git a/mobile/skin/qa/basic/write.skin.php b/mobile/skin/qa/basic/write.skin.php
index e8c8c61b6..4d879f73e 100644
--- a/mobile/skin/qa/basic/write.skin.php
+++ b/mobile/skin/qa/basic/write.skin.php
@@ -13,6 +13,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="sca" value="<?php echo $sca ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
+    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php
     $option = '';
     $option_hidden = '';
@@ -173,6 +174,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
         }
         <?php } ?>
 
+        $.ajax({
+            type: "POST",
+            url: g5_bbs_url+"/ajax.write.token.php",
+            data: { 'token_case' : 'qa_write' },
+            cache: false,
+            async: false,
+            dataType: "json",
+            success: function(data) {
+                if (typeof data.token !== "undefined") {
+                    token = data.token;
+
+                    if(typeof f.token === "undefined")
+                        $(f).prepend('<input type="hidden" name="token" value="">');
+
+                    $(f).find("input[name=token]").val(token);
+                }
+            }
+        });
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;
diff --git a/skin/qa/basic/list.skin.php b/skin/qa/basic/list.skin.php
index d32852783..56df884ee 100644
--- a/skin/qa/basic/list.skin.php
+++ b/skin/qa/basic/list.skin.php
@@ -72,6 +72,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="stx" value="<?php echo $stx; ?>">
     <input type="hidden" name="sca" value="<?php echo $sca; ?>">
     <input type="hidden" name="page" value="<?php echo $page; ?>">
+    <input type="hidden" name="token" value="<?php echo get_text($token); ?>">
             
     <div class="tbl_head01 tbl_wrap">
         <table>
diff --git a/skin/qa/basic/write.skin.php b/skin/qa/basic/write.skin.php
index d1feabb29..9f587c086 100644
--- a/skin/qa/basic/write.skin.php
+++ b/skin/qa/basic/write.skin.php
@@ -14,6 +14,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="sca" value="<?php echo $sca ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
+    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php
     $option = '';
     $option_hidden = '';
@@ -166,6 +167,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
         }
         <?php } ?>
 
+        $.ajax({
+            type: "POST",
+            url: g5_bbs_url+"/ajax.write.token.php",
+            data: { 'token_case' : 'qa_write' },
+            cache: false,
+            async: false,
+            dataType: "json",
+            success: function(data) {
+                if (typeof data.token !== "undefined") {
+                    token = data.token;
+
+                    if(typeof f.token === "undefined")
+                        $(f).prepend('<input type="hidden" name="token" value="">');
+
+                    $(f).find("input[name=token]").val(token);
+                }
+            }
+        });
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;
diff --git a/theme/basic/mobile/skin/qa/basic/list.skin.php b/theme/basic/mobile/skin/qa/basic/list.skin.php
index 0bf98e366..7db40baf0 100644
--- a/theme/basic/mobile/skin/qa/basic/list.skin.php
+++ b/theme/basic/mobile/skin/qa/basic/list.skin.php
@@ -45,6 +45,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="stx" value="<?php echo $stx; ?>">
     <input type="hidden" name="sca" value="<?php echo $sca; ?>">
     <input type="hidden" name="page" value="<?php echo $page; ?>">
+    <input type="hidden" name="token" value="<?php echo get_text($token); ?>">
 
     <?php if ($is_checkbox) { ?>
     <div class="all_chk chk_box">
diff --git a/theme/basic/mobile/skin/qa/basic/write.skin.php b/theme/basic/mobile/skin/qa/basic/write.skin.php
index e8c8c61b6..4d879f73e 100644
--- a/theme/basic/mobile/skin/qa/basic/write.skin.php
+++ b/theme/basic/mobile/skin/qa/basic/write.skin.php
@@ -13,6 +13,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="sca" value="<?php echo $sca ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
+    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php
     $option = '';
     $option_hidden = '';
@@ -173,6 +174,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
         }
         <?php } ?>
 
+        $.ajax({
+            type: "POST",
+            url: g5_bbs_url+"/ajax.write.token.php",
+            data: { 'token_case' : 'qa_write' },
+            cache: false,
+            async: false,
+            dataType: "json",
+            success: function(data) {
+                if (typeof data.token !== "undefined") {
+                    token = data.token;
+
+                    if(typeof f.token === "undefined")
+                        $(f).prepend('<input type="hidden" name="token" value="">');
+
+                    $(f).find("input[name=token]").val(token);
+                }
+            }
+        });
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;
diff --git a/theme/basic/skin/qa/basic/list.skin.php b/theme/basic/skin/qa/basic/list.skin.php
index d32852783..56df884ee 100644
--- a/theme/basic/skin/qa/basic/list.skin.php
+++ b/theme/basic/skin/qa/basic/list.skin.php
@@ -72,6 +72,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="stx" value="<?php echo $stx; ?>">
     <input type="hidden" name="sca" value="<?php echo $sca; ?>">
     <input type="hidden" name="page" value="<?php echo $page; ?>">
+    <input type="hidden" name="token" value="<?php echo get_text($token); ?>">
             
     <div class="tbl_head01 tbl_wrap">
         <table>
diff --git a/theme/basic/skin/qa/basic/write.skin.php b/theme/basic/skin/qa/basic/write.skin.php
index d1feabb29..9f587c086 100644
--- a/theme/basic/skin/qa/basic/write.skin.php
+++ b/theme/basic/skin/qa/basic/write.skin.php
@@ -14,6 +14,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
     <input type="hidden" name="sca" value="<?php echo $sca ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
+    <input type="hidden" name="token" value="<?php echo $token ?>">
     <?php
     $option = '';
     $option_hidden = '';
@@ -166,6 +167,25 @@ add_stylesheet('<link rel="stylesheet" href="'.$qa_skin_url.'/style.css">', 0);
         }
         <?php } ?>
 
+        $.ajax({
+            type: "POST",
+            url: g5_bbs_url+"/ajax.write.token.php",
+            data: { 'token_case' : 'qa_write' },
+            cache: false,
+            async: false,
+            dataType: "json",
+            success: function(data) {
+                if (typeof data.token !== "undefined") {
+                    token = data.token;
+
+                    if(typeof f.token === "undefined")
+                        $(f).prepend('<input type="hidden" name="token" value="">');
+
+                    $(f).find("input[name=token]").val(token);
+                }
+            }
+        });
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;