From 7524d291889eb9bd5479e342a4d3090c2dcbe129 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 1 Oct 2018 10:48:59 +0900
Subject: [PATCH 1/6] =?UTF-8?q?KVE-2018-0732=20=EC=B7=A8=EC=95=BD=EC=A0=90?=
 =?UTF-8?q?=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/admin.lib.php          | 13 +++++++++++++
 adm/member_list_update.php | 16 ++++++++--------
 lib/common.lib.php         |  2 ++
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index 48baae0fd..99d145276 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -489,6 +489,19 @@ if (isset($stx))  $arr_query[] = 'stx='.$stx;
 if (isset($page)) $arr_query[] = 'page='.$page;
 $qstr = implode("&amp;", $arr_query);
 
+if ( isset($_REQUEST) && $_REQUEST ){
+    if( admin_referer_check(true) ){
+
+        foreach( $_REQUEST as $key=>$value ){
+            if( $value && preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && preg_match('/script.*?\/script/ius', $value) ){
+                alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
+                die();
+            }
+        }
+
+    }
+}
+
 // 관리자에서는 추가 스크립트는 사용하지 않는다.
 //$config['cf_add_script'] = '';
 ?>
\ No newline at end of file
diff --git a/adm/member_list_update.php b/adm/member_list_update.php
index eb6d8f791..915fdb880 100644
--- a/adm/member_list_update.php
+++ b/adm/member_list_update.php
@@ -29,19 +29,19 @@ if ($_POST['act_button'] == "선택수정") {
             $msg .= $mb['mb_id'].' : 로그인 중인 관리자는 수정 할 수 없습니다.\\n';
         } else {
             if($_POST['mb_certify'][$k])
-                $mb_adult = $_POST['mb_adult'][$k];
+                $mb_adult = (int) $_POST['mb_adult'][$k];
             else
                 $mb_adult = 0;
 
             $sql = " update {$g5['member_table']}
-                        set mb_level = '{$_POST['mb_level'][$k]}',
-                            mb_intercept_date = '{$_POST['mb_intercept_date'][$k]}',
-                            mb_mailling = '{$_POST['mb_mailling'][$k]}',
-                            mb_sms = '{$_POST['mb_sms'][$k]}',
-                            mb_open = '{$_POST['mb_open'][$k]}',
-                            mb_certify = '{$_POST['mb_certify'][$k]}',
+                        set mb_level = '".sql_real_escape_string($_POST['mb_level'][$k])."',
+                            mb_intercept_date = '".sql_real_escape_string($_POST['mb_intercept_date'][$k])."',
+                            mb_mailling = '".sql_real_escape_string($_POST['mb_mailling'][$k])."',
+                            mb_sms = '".sql_real_escape_string($_POST['mb_sms'][$k])."',
+                            mb_open = '".sql_real_escape_string($_POST['mb_open'][$k])."',
+                            mb_certify = '".sql_real_escape_string($_POST['mb_certify'][$k])."',
                             mb_adult = '{$mb_adult}'
-                        where mb_id = '{$_POST['mb_id'][$k]}' ";
+                        where mb_id = '".sql_real_escape_string($_POST['mb_id'][$k])."' ";
             sql_query($sql);
         }
     }
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 77b78b5e9..8685f4e52 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -714,6 +714,8 @@ function get_group($gr_id)
 function get_member($mb_id, $fields='*')
 {
     global $g5;
+    
+    $mb_id = preg_replace("/[^0-9a-z_]+/i", "", $mb_id);
 
     return sql_fetch(" select $fields from {$g5['member_table']} where mb_id = TRIM('$mb_id') ");
 }

From b7989d617fd1b4ae7b775c98764bb81916cc91de Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 5 Oct 2018 10:27:28 +0900
Subject: [PATCH 2/6] =?UTF-8?q?=EC=9E=98=EB=AA=BB=EB=90=9C=20=EC=BD=94?=
 =?UTF-8?q?=EB=93=9C=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/faqlist.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/adm/faqlist.php b/adm/faqlist.php
index acfb094e9..80319c82f 100644
--- a/adm/faqlist.php
+++ b/adm/faqlist.php
@@ -22,7 +22,7 @@ $sql_common = " from {$g5['faq_table']} where fm_id = '$fm_id' ";
 // 테이블의 전체 레코드수만 얻음
 $sql = " select count(*) as cnt " . $sql_common;
 $row = sql_fetch($sql);
-$total_count = $row[cnt];
+$total_count = $row['cnt'];
 
 $sql = "select * $sql_common order by fa_order , fa_id ";
 $result = sql_query($sql);
@@ -60,7 +60,7 @@ $result = sql_query($sql);
     for ($i=0; $row=sql_fetch_array($result); $i++)
     {
         $row1 = sql_fetch(" select COUNT(*) as cnt from {$g5['faq_table']} where fm_id = '{$row['fm_id']}' ");
-        $cnt = $row1[cnt];
+        $cnt = $row1['cnt'];
 
         $s_mod = icon("수정", "");
         $s_del = icon("삭제", "");

From 908d242e52715d18b6ba1b51fd68b802e19afd1a Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 5 Oct 2018 13:55:45 +0900
Subject: [PATCH 3/6] =?UTF-8?q?admin=5Fcheck=5Fxss=5Fparams=20=ED=95=A8?=
 =?UTF-8?q?=EC=88=98=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/admin.lib.php | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index 99d145276..b62164b26 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -426,6 +426,25 @@ function admin_referer_check($return=false)
     }
 }
 
+function admin_check_xss_params($params){
+
+    if( ! $params ) return;
+
+    foreach( $params as $key=>$value ){
+
+        if ( empty($value) ) continue;
+
+        if( is_array($value) ){
+            admin_check_xss_params($params);
+        } else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && preg_match('/script.*?\/script/ius', $value) ){
+            alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
+            die();
+        }
+    }
+
+    return;
+}
+
 // 접근 권한 검사
 if (!$member['mb_id'])
 {
@@ -491,14 +510,7 @@ $qstr = implode("&amp;", $arr_query);
 
 if ( isset($_REQUEST) && $_REQUEST ){
     if( admin_referer_check(true) ){
-
-        foreach( $_REQUEST as $key=>$value ){
-            if( $value && preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && preg_match('/script.*?\/script/ius', $value) ){
-                alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
-                die();
-            }
-        }
-
+        admin_check_xss_params($_REQUEST);
     }
 }
 

From a4df23fe6d87ed394b0f9e98d35fa3826bfb0b77 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 8 Oct 2018 09:54:05 +0900
Subject: [PATCH 4/6] =?UTF-8?q?get=5Fselected=20get=5Fchecked=20=ED=95=A8?=
 =?UTF-8?q?=EC=88=98=20=EB=B9=84=EA=B5=90=EB=AC=B8=20=EC=BD=94=EB=93=9C=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index 8685f4e52..b9d16cc64 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2070,13 +2070,13 @@ function abs_ip2long($ip='')
 
 function get_selected($field, $value)
 {
-    return ($field==$value) ? ' selected="selected"' : '';
+    return ($field===$value) ? ' selected="selected"' : '';
 }
 
 
 function get_checked($field, $value)
 {
-    return ($field==$value) ? ' checked="checked"' : '';
+    return ($field===$value) ? ' checked="checked"' : '';
 }
 
 

From eccdd7d473f4f2357ef61e79a9c62bd2ec308810 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 8 Oct 2018 11:29:17 +0900
Subject: [PATCH 5/6] =?UTF-8?q?=EC=9D=B4=EB=A9=94=EC=9D=BC=20=EC=9D=B8?=
 =?UTF-8?q?=EC=A6=9D=EC=8B=9C=20=ED=83=88=ED=87=B4=EB=90=9C=20=ED=9A=8C?=
 =?UTF-8?q?=EC=9B=90=EC=9D=B4=EB=82=98=20=EC=B0=A8=EB=8B=A8=EB=90=9C=20?=
 =?UTF-8?q?=ED=9A=8C=EC=9B=90=EC=9D=80=20=EC=9D=B8=EC=A6=9D=EC=95=88?=
 =?UTF-8?q?=EB=90=98=EA=B2=8C=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/email_certify.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bbs/email_certify.php b/bbs/email_certify.php
index 80b4bf0b8..2fc735b32 100644
--- a/bbs/email_certify.php
+++ b/bbs/email_certify.php
@@ -4,11 +4,15 @@ include_once('./_common.php');
 $mb_id  = trim($_GET['mb_id']);
 $mb_md5 = trim($_GET['mb_md5']);
 
-$sql = " select mb_id, mb_email_certify2 from {$g5['member_table']} where mb_id = '{$mb_id}' ";
+$sql = " select mb_id, mb_email_certify2, mb_leave_date, mb_intercept_date from {$g5['member_table']} where mb_id = '{$mb_id}' ";
 $row = sql_fetch($sql);
 if (!$row['mb_id'])
     alert('존재하는 회원이 아닙니다.', G5_URL);
 
+if ( $row['mb_leave_date'] || $row['mb_intercept_date'] ){
+    alert('탈퇴 또는 차단된 회원입니다.', G5_URL);
+}
+
 // 인증 링크는 한번만 처리가 되게 한다.
 sql_query(" update {$g5['member_table']} set mb_email_certify2 = '' where mb_id = '$mb_id' ");
 

From cb29c398cc2c50c52753ffea4a3ac4e3c812b490 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 8 Oct 2018 11:31:01 +0900
Subject: [PATCH 6/6] =?UTF-8?q?5.3.1.8=20=EB=B2=84=EC=A0=84=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.php b/config.php
index c341cebc0..57cadaacb 100644
--- a/config.php
+++ b/config.php
@@ -5,7 +5,7 @@
 ********************/
 
 define('G5_VERSION', '그누보드5');
-define('G5_GNUBOARD_VER', '5.3.1.7');
+define('G5_GNUBOARD_VER', '5.3.1.8');
 
 // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음
 define('_GNUBOARD_', true);