[KVE-2020-1276,1546] CSRF 취약점 제보로 1:1 문의 토큰 체크 코드 추가

2021-01-04 17:47:14 +09:00
parent 83b4c80964
commit a7fa3a20fc
14 changed files with 122 additions and 4 deletions
--- a/bbs/ajax.write.token.php
+++ b/bbs/ajax.write.token.php
@ -0,0 +1,11 @@
+<?php
+include_once('./_common.php');
+include_once(G5_LIB_PATH.'/json.lib.php');
+
+$token_case = isset($_POST['token_case']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['token_case']) : '';
+
+if( $token_case ){
+    $token = _token();
+    set_session('ss_'.$token_case.'_token', $token);
+    die(json_encode(array('error'=>'', 'token'=>$token, 'url'=>'')));
+}
--- a/bbs/qadelete.php
+++ b/bbs/qadelete.php
@ -4,11 +4,13 @@ include_once('./_common.php');
 if($is_guest)
    alert('회원이시라면 로그인 후 이용해 주십시오.', G5_URL);

+$token = isset($_REQUEST['token']) ? $_REQUEST['token'] : '';
+
 $delete_token = get_session('ss_qa_delete_token');
 set_session('ss_qa_delete_token', '');

-//관리자가 아닌경우에는 토큰을 검사합니다.
-if (!$is_admin && !($token && $delete_token == $token))
+//모든 회원의 토큰을 검사합니다.
+if (!($token && $delete_token === $token))
    alert('토큰 에러로 삭제 불가합니다.');

 $tmp_array = array();
--- a/bbs/qalist.php
+++ b/bbs/qalist.php
@ -6,6 +6,12 @@ if($is_guest)

 $qaconfig = get_qa_config();

+$token = '';
+if( $is_admin ){
+    $token = _token();
+    set_session('ss_qa_delete_token', $token);
+}
+
 $g5['title'] = $qaconfig['qa_title'];
 include_once('./qahead.php');

@ -13,6 +19,7 @@ $skin_file = $qa_skin_path.'/list.skin.php';
 $is_auth = $is_admin ? true : false;

 $category_option = '';
+
 if ($qaconfig['qa_category']) {
    $category_href = G5_BBS_URL.'/qalist.php';

--- a/bbs/qaview.php
+++ b/bbs/qaview.php
@ -10,6 +10,9 @@ if($is_guest)
 $qaconfig = get_qa_config();
 $content = '';

+$token = _token();
+set_session('ss_qa_delete_token', $token);
+
 $g5['title'] = $qaconfig['qa_title'];
 include_once('./qahead.php');

@ -110,9 +113,9 @@ if(is_file($skin_file)) {
            $update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
    }
    */
+
    if(($view['qa_type'] && $is_admin) || (!$view['qa_type'] && $view['qa_status'] == 0)) {
        $update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$view['qa_id'].$qstr;
-        set_session('ss_qa_delete_token', $token = uniqid(time()));
        $delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$view['qa_id'].'&amp;token='.$token.$qstr;
    }

@ -129,7 +132,7 @@ if(is_file($skin_file)) {

        if($is_admin) {
            $answer_update_href = G5_BBS_URL.'/qawrite.php?w=u&amp;qa_id='.$answer['qa_id'].$qstr;
-            $answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].$qstr;
+            $answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].'&amp;token='.$token.$qstr;
        }
    }

--- a/bbs/qawrite.php
+++ b/bbs/qawrite.php
@ -13,6 +13,8 @@ if($is_guest)
    alert('회원이시라면 로그인 후 이용해 보십시오.', './login.php?url='.urlencode(G5_BBS_URL.'/qalist.php'));

 $qaconfig = get_qa_config();
+$token = _token();
+set_session('ss_qa_write_token', $token);

 $g5['title'] = $qaconfig['qa_title'];
 include_once('./qahead.php');
--- a/bbs/qawrite_update.php
+++ b/bbs/qawrite_update.php
@ -12,6 +12,15 @@ if($is_guest)

 $msg = array();

+$write_token = get_session('ss_qa_write_token');
+set_session('ss_qa_write_token', '');
+
+$token = isset($_POST['token']) ? clean_xss_tags($_POST['token'], 1, 1) : '';
+
+//모든 회원의 토큰을 검사합니다.
+if (!($token && $write_token === $token))
+    alert('토큰 에러로 삭제 불가합니다.');
+
 // 1:1문의 설정값
 $qaconfig = get_qa_config();
 $qa_id = isset($_POST['qa_id']) ? (int) $_POST['qa_id'] : 0;