From bafa1c43bf3ccfe576597555d2ef68a205ced828 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 15 Jun 2022 16:11:06 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2022-0120]=EA=B7=B8=EB=88=84=EB=B3=B4?=
 =?UTF-8?q?=EB=93=9C=5F=EB=B6=80=EC=A0=81=EC=A0=88=ED=95=9C=5F=EA=B6=8C?=
 =?UTF-8?q?=ED=95=9C=5F=EA=B2=80=EC=A6=9D=5F=EC=B7=A8=EC=95=BD=EC=A0=90=5F?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/password_reset.php             |  3 ++-
 plugin/inicert/ini_find_result.php | 14 ++++++++++----
 plugin/inicert/ini_request.php     |  2 +-
 plugin/inicert/ini_result.php      | 12 +++++++++---
 4 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/bbs/password_reset.php b/bbs/password_reset.php
index 088d734db..6600f3d4d 100644
--- a/bbs/password_reset.php
+++ b/bbs/password_reset.php
@@ -4,7 +4,8 @@ include_once('./_common.php');
 
 if ($is_member) { alert("이미 로그인중입니다."); goto_url(G5_URL); }
 
-if(!$_POST['mb_id']) { alert("잘못된 접근입니다."); goto_url(G5_URL); }
+$ss_cert_mb_id = isset($_SESSION['ss_cert_mb_id']) ? trim(get_session('ss_cert_mb_id')) : '';
+if(!(isset($_POST['mb_id']) && $_POST['mb_id'] === $ss_cert_mb_id)) { alert("잘못된 접근입니다."); goto_url(G5_URL); }
 
 if($config['cf_cert_find'] != 1) alert("본인인증을 이용하여 아이디/비밀번호 찾기를 할 수 없습니다. 관리자에게 문의 하십시오.");
 
diff --git a/plugin/inicert/ini_find_result.php b/plugin/inicert/ini_find_result.php
index 258e615ad..c0e9825b8 100644
--- a/plugin/inicert/ini_find_result.php
+++ b/plugin/inicert/ini_find_result.php
@@ -1,10 +1,10 @@
 <?php
 include_once('./_common.php');
 
-$txId = $_POST['txId'];
+$txId = isset($_POST['txId']) ? clean_xss_tags($_POST['txId'], 1, 1) : '';
 $mid  = substr($txId, 6, 10);
 
-if ($_POST["resultCode"] === "0000") { 
+if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") {
 
     $data = array(
         'mid' => $mid,        
@@ -13,6 +13,12 @@ if ($_POST["resultCode"] === "0000") {
 
     $post_data = json_encode($data);
 
+    $url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array();
+
+    if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){
+        alert('잘못된 요청입니다.', G5_URL);
+    }
+
     // curl 통신 시작 
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]);
@@ -73,7 +79,7 @@ if ($_POST["resultCode"] === "0000") {
     }
 } else {   // resultCode===0000 아닐경우 아래 인증 실패를 출력함 
     // 인증실패
-    alert_close('코드 : '.$_POST['resultCode'].'  '.urldecode($_POST['resultMsg']));
+    alert_close('코드 : '.(isset($_POST['resultCode']) ? clean_xss_tags($_POST['resultCode'], 1, 1) : '').'  '.(isset($_POST['resultMsg']) ? clean_xss_tags(urldecode($_POST['resultMsg']), 1, 1) : ''));
     exit;
 }
 
@@ -81,7 +87,7 @@ $g5['title'] = 'KG이니시스 간편인증 결과';
 include_once(G5_PATH.'/head.sub.php'); 
 ?>
 <form name="mbFindForm" method="POST">
-<input type="hidden" name="mb_id" value="<?php echo $row["mb_id"]; ?>">    
+<input type="hidden" name="mb_id" value="<?php echo isset($row["mb_id"]) ? get_text($row["mb_id"]) : ''; ?>">
 </form>
 <script>
     jQuery(function($) {
diff --git a/plugin/inicert/ini_request.php b/plugin/inicert/ini_request.php
index 8d3a1ae3f..dbf337827 100644
--- a/plugin/inicert/ini_request.php
+++ b/plugin/inicert/ini_request.php
@@ -67,7 +67,7 @@ include_once(G5_PATH.'/head.sub.php');
         <input type="hidden" name="userBirth" value="<?php echo $userBirth ?>">
         <input type="hidden" name="userHash" value="<?php echo $userHash ?>">
         <input type="hidden" name="mbId" value="<?php echo $member['mb_id'] ?>">
-        <input type="hidden" name="directAgency" value="<?php echo $_GET['directAgency']; ?>">
+        <input type="hidden" name="directAgency" value="<?php echo isset($_GET['directAgency']) ? clean_xss_tags($_GET['directAgency'], 1, 1) : ''; ?>">
 
         <input type="hidden" name="successUrl" value="<?php echo $resultUrl; ?>"> <!-- 필수 값 -->
         <input type="hidden" name="failUrl" value="<?php echo $resultUrl; ?>"> <!-- 필수 값 -->
diff --git a/plugin/inicert/ini_result.php b/plugin/inicert/ini_result.php
index 3037d8ffd..0c02d1e4b 100644
--- a/plugin/inicert/ini_result.php
+++ b/plugin/inicert/ini_result.php
@@ -1,10 +1,10 @@
 <?php
 include_once('./_common.php');
 
-$txId = $_POST['txId'];
+$txId = isset($_POST['txId']) ? clean_xss_tags($_POST['txId'], 1, 1) : '';
 $mid  = substr($txId, 6, 10);
 
-if ($_POST["resultCode"] === "0000") { 
+if ($txId && isset($_POST["resultCode"]) && $_POST["resultCode"] === "0000") {
 
     $data = array(
         'mid' => $mid,        
@@ -13,6 +13,12 @@ if ($_POST["resultCode"] === "0000") {
 
     $post_data = json_encode($data);
 
+    $url_data = isset($_POST["authRequestUrl"]) ? @parse_url($_POST["authRequestUrl"]) : array();
+
+    if(!(isset($url_data["host"]) && preg_match("#\.inicis\.com$#", $url_data["host"]))){
+        alert('잘못된 요청입니다.', G5_URL);
+    }
+
     // curl 통신 시작 
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $_POST["authRequestUrl"]);
@@ -81,7 +87,7 @@ if ($_POST["resultCode"] === "0000") {
     }
 } else {   // resultCode===0000 아닐경우 아래 인증 실패를 출력함 
     // 인증실패
-    alert_close('코드 : '.$_POST['resultCode'].'  '.urldecode($_POST['resultMsg']));
+    alert_close('코드 : '.(isset($_POST['resultCode']) ? clean_xss_tags($_POST['resultCode'], 1, 1) : '').'  '.(isset($_POST['resultMsg']) ? clean_xss_tags(urldecode($_POST['resultMsg']), 1, 1) : ''));
     exit;
 }