From 66358414f2b1f8587239ee8ef6cb2e6e65ae4784 Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 8 Dec 2017 11:27:37 +0900 Subject: [PATCH 1/5] =?UTF-8?q?pht=20=ED=8C=8C=EC=9D=BC=20=EC=97=85?= =?UTF-8?q?=EB=A1=9C=EB=93=9C=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95=20adm1nkyj(=EA=B9=80=EC=9A=A9=EC=A7=84,=20http://adm1?= =?UTF-8?q?nkyj.kr)=20=EB=8B=98=20=EC=A0=9C=EB=B3=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/qawrite_update.php | 2 +- bbs/write_update.php | 2 +- install/install_db.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bbs/qawrite_update.php b/bbs/qawrite_update.php index b00d0827b..69a4efa82 100644 --- a/bbs/qawrite_update.php +++ b/bbs/qawrite_update.php @@ -200,7 +200,7 @@ for ($i=1; $i<=count($_FILES['bf_file']['name']); $i++) { $upload[$i]['filesize'] = $filesize; // 아래의 문자열이 들어간 파일은 -x 를 붙여서 웹경로를 알더라도 실행을 하지 못하도록 함 - $filename = preg_replace("/\.(php|phtm|htm|cgi|pl|exe|jsp|asp|inc)/i", "$0-x", $filename); + $filename = preg_replace("/\.(php|pht|phtm|htm|cgi|pl|exe|jsp|asp|inc)/i", "$0-x", $filename); shuffle($chars_array); $shuffle = implode('', $chars_array); diff --git a/bbs/write_update.php b/bbs/write_update.php index 2dbbddde1..2b37dbd23 100644 --- a/bbs/write_update.php +++ b/bbs/write_update.php @@ -524,7 +524,7 @@ for ($i=0; $i + Order allow,deny Deny from all From 8755c8ece7f8ca0a02041ced0d979ba6c0c7586f Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 11 Dec 2017 14:34:01 +0900 Subject: [PATCH 2/5] =?UTF-8?q?Open=20Redirect=20=EC=B7=A8=EC=95=BD?= =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/logout.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bbs/logout.php b/bbs/logout.php index 3bcb99cef..4d071e428 100644 --- a/bbs/logout.php +++ b/bbs/logout.php @@ -11,7 +11,10 @@ set_cookie('ck_auto', '', 0); // 자동로그인 해제 end -------------------------------- if ($url) { - $p = @parse_url($url); + if ( substr($url, 0, 2) == '//' ) + $url = 'http:' . $url; + + $p = @parse_url(urldecode($url)); if ($p['scheme'] || $p['host']) { alert('url에 도메인을 지정할 수 없습니다.'); } From 7f9664af0a3d470c6f23d09859ff69f593921eec Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 11 Dec 2017 17:52:20 +0900 Subject: [PATCH 3/5] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20Refl?= =?UTF-8?q?ected=20XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20(891,=20906,=20908,?= =?UTF-8?q?=20910)=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/poll_form.php | 2 ++ adm/sms_admin/form_group_update.php | 14 +++++++++----- adm/sms_admin/form_update.php | 3 +++ adm/sms_admin/num_group_update.php | 10 ++++++---- 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/adm/poll_form.php b/adm/poll_form.php index 6181b1375..2d259b58e 100644 --- a/adm/poll_form.php +++ b/adm/poll_form.php @@ -4,6 +4,8 @@ include_once('./_common.php'); auth_check($auth[$sub_menu], 'w'); +$po_id = isset($po_id) ? (int) $po_id : 0; + $html_title = '투표'; if ($w == '') $html_title .= ' 생성'; diff --git a/adm/sms_admin/form_group_update.php b/adm/sms_admin/form_group_update.php index 058980a11..ee8b1627a 100644 --- a/adm/sms_admin/form_group_update.php +++ b/adm/sms_admin/form_group_update.php @@ -10,9 +10,9 @@ if ($w == 'u') // 업데이트 { // 실제 번호를 넘김 $k = $_POST['chk'][$i]; - $fg_no = $_POST['fg_no'][$k]; - $fg_name = $_POST['fg_name'][$k]; - $fg_member = $_POST['fg_member'][$k]; + $fg_no = (int) $_POST['fg_no'][$k]; + $fg_name = strip_tags($_POST['fg_name'][$k]); + $fg_member = strip_tags($_POST['fg_member'][$k]); if (!is_numeric($fg_no)) alert('그룹 고유번호가 없습니다.'); @@ -38,7 +38,7 @@ else if ($w == 'de') // 그룹삭제 { // 실제 번호를 넘김 $k = $_POST['chk'][$i]; - $fg_no = $_POST['fg_no'][$k]; + $fg_no = (int) $_POST['fg_no'][$k]; if (!is_numeric($fg_no)) alert('그룹 고유번호가 없습니다.'); @@ -57,7 +57,7 @@ else if ($w == 'em') { // 실제 번호를 넘김 $k = $_POST['chk'][$i]; - $fg_no = $_POST['fg_no'][$k]; + $fg_no = (int) $_POST['fg_no'][$k]; if ($fg_no == 'no') $fg_no = 0; @@ -71,6 +71,8 @@ else if ($w == 'no') { if ($fg_no == 'no') $fg_no = 0; + $fg_no = (int) $fg_no; + if ($fg_no) sql_query("update {$g5['sms5_form_group_table']} set fg_count = 0 where fg_no = '$fg_no'"); @@ -81,6 +83,8 @@ else // 등록 if (!strlen(trim($fg_name))) alert('그룹명을 입력해주세요'); + $fg_name = strip_tags($fg_name); + $res = sql_fetch("select fg_name from {$g5['sms5_form_group_table']} where fg_name = '$fg_name'"); if ($res) alert('같은 그룹명이 존재합니다.'); diff --git a/adm/sms_admin/form_update.php b/adm/sms_admin/form_update.php index 9059b91bf..080656e94 100644 --- a/adm/sms_admin/form_update.php +++ b/adm/sms_admin/form_update.php @@ -4,6 +4,9 @@ include_once("./_common.php"); auth_check($auth[$sub_menu], "w"); +$fo_name = isset($fo_name) ? strip_tags($fo_name) : ''; +$fo_content = isset($fo_content) ? strip_tags($fo_content) : ''; + $g5['title'] = "이모티콘 업데이트"; if ($w == 'u') // 업데이트 diff --git a/adm/sms_admin/num_group_update.php b/adm/sms_admin/num_group_update.php index ea9af2423..f23f31bea 100644 --- a/adm/sms_admin/num_group_update.php +++ b/adm/sms_admin/num_group_update.php @@ -10,8 +10,8 @@ if ($w == 'u') // 업데이트 { // 실제 번호를 넘김 $k = $_POST['chk'][$i]; - $bg_no = $_POST['bg_no'][$k]; - $bg_name = $_POST['bg_name'][$k]; + $bg_no = (int) $_POST['bg_no'][$k]; + $bg_name = strip_tags($_POST['bg_name'][$k]); if (!is_numeric($bg_no)) alert('그룹 고유번호가 없습니다.'); @@ -36,7 +36,7 @@ else if ($w == 'de') // 그룹삭제 { // 실제 번호를 넘김 $k = $_POST['chk'][$i]; - $bg_no = $_POST['bg_no'][$k]; + $bg_no = (int) $_POST['bg_no'][$k]; if (!is_numeric($bg_no)) alert('그룹 고유번호가 없습니다.'); @@ -55,7 +55,7 @@ else if ($w == 'em') // 비우기 { // 실제 번호를 넘김 $k = $_POST['chk'][$i]; - $bg_no = $_POST['bg_no'][$k]; + $bg_no = (int) $_POST['bg_no'][$k]; sql_query("update {$g5['sms5_book_group_table']} set bg_count = 0, bg_member = 0, bg_nomember = 0, bg_receipt = 0, bg_reject = 0 where bg_no='$bg_no'"); sql_query("delete from {$g5['sms5_book_table']} where bg_no='$bg_no'"); @@ -63,6 +63,8 @@ else if ($w == 'em') // 비우기 } else // 등록 { + $bg_name = strip_tags($bg_name); + if (!strlen(trim($bg_name))) alert('그룹명을 입력해주세요'); From 875a326344b2980c25f181c8e9579d2e59cafc09 Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 12 Dec 2017 11:59:10 +0900 Subject: [PATCH 4/5] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20CSRF?= =?UTF-8?q?=20=EC=B7=A8=EC=95=BD=EC=A0=90(KVE-2017-0883,0884,0923)=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/member_list_update.php | 2 ++ bbs/memo.php | 4 +++- bbs/memo_delete.php | 6 ++++++ bbs/qadelete.php | 6 ++++++ bbs/qaview.php | 3 ++- 5 files changed, 19 insertions(+), 2 deletions(-) diff --git a/adm/member_list_update.php b/adm/member_list_update.php index 6c5049a86..eb6d8f791 100644 --- a/adm/member_list_update.php +++ b/adm/member_list_update.php @@ -10,6 +10,8 @@ if (!count($_POST['chk'])) { auth_check($auth[$sub_menu], 'w'); +check_admin_token(); + if ($_POST['act_button'] == "선택수정") { for ($i=0; $i Date: Mon, 18 Dec 2017 12:21:23 +0900 Subject: [PATCH 5/5] =?UTF-8?q?=ED=8C=8C=EC=9D=BC=20=EC=97=85=EB=A1=9C?= =?UTF-8?q?=EB=93=9C=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common.lib.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/common.lib.php b/lib/common.lib.php index 978050c8f..b194ffeeb 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -2952,9 +2952,13 @@ function replace_filename($name) @session_start(); $ss_id = session_id(); $usec = get_microtime(); - $ext = array_pop(explode('.', $name)); + $file_path = pathinfo($name); + $ext = $file_path['extension']; + $return_filename = sha1($ss_id.$_SERVER['REMOTE_ADDR'].$usec); + if( $ext ) + $return_filename .= '.'.$ext; - return sha1($ss_id.$_SERVER['REMOTE_ADDR'].$usec).'.'.$ext; + return $return_filename; } // 아이코드 사용자정보