From c03fec73b9aeb6571271f4141788e614cc3f6e82 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 17 Aug 2018 14:45:04 +0900
Subject: [PATCH] =?UTF-8?q?KVE-2018-0441,0449,0510=20=EA=B7=B8=EB=88=84?=
 =?UTF-8?q?=EB=B3=B4=EB=93=9C=20=EC=98=81=EC=B9=B4=ED=8A=B8=20=EB=8B=A4?=
 =?UTF-8?q?=EC=A4=91=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/board_form_update.php        | 18 +++++++++---------
 adm/contentformupdate.php        |  5 ++++-
 adm/qa_config_update.php         |  5 ++++-
 adm/sms_admin/num_book_write.php | 10 ++++------
 bbs/formmail_send.php            |  7 +++----
 bbs/member_confirm.php           |  4 ++++
 lib/common.lib.php               |  6 +++---
 7 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/adm/board_form_update.php b/adm/board_form_update.php
index 8b40bc8d2..912887760 100644
--- a/adm/board_form_update.php
+++ b/adm/board_form_update.php
@@ -14,11 +14,11 @@ if (!$bo_table) { alert('게시판 TABLE명은 반드시 입력하세요.'); }
 if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); }
 if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); }
 
-$_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255));
-$_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255));
+$bo_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_head, 0, 255));
+$bo_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_tail, 0, 255));
 
 // 관리자가 자동등록방지를 사용해야 할 경우
-if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+if ($board && ($board['bo_include_head'] !== $bo_include_head || $board['bo_include_tail'] !== $bo_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
     include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
     if (!chk_captcha()) {
@@ -26,7 +26,7 @@ if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board
     }
 }
 
-if ($file = $_POST['bo_include_head']) {
+if ($file = $bo_include_head) {
     $file_ext = pathinfo($file, PATHINFO_EXTENSION);
 
     if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) {
@@ -35,7 +35,7 @@ if ($file = $_POST['bo_include_head']) {
     $_POST['bo_include_head'] = $file;
 }
 
-if ($file = $_POST['bo_include_tail']) {
+if ($file = $bo_include_tail) {
     $file_ext = pathinfo($file, PATHINFO_EXTENSION);
 
     if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) {
@@ -44,11 +44,11 @@ if ($file = $_POST['bo_include_tail']) {
     $_POST['bo_include_tail'] = $file;
 }
 
-if(!is_include_path_check($_POST['bo_include_head'], 1)) {
+if(!is_include_path_check($bo_include_head, 1)) {
     alert('상단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
 }
 
-if(!is_include_path_check($_POST['bo_include_tail'], 1)) {
+if(!is_include_path_check($bo_include_tail, 1)) {
     alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
 }
 
@@ -125,8 +125,8 @@ $sql_common = " gr_id               = '{$_POST['gr_id']}',
 
 // 최고 관리자인 경우에만 수정가능
 if ($is_admin === 'super'){
-$sql_common .= " bo_include_head     = '{$_POST['bo_include_head']}',
-                bo_include_tail     = '{$_POST['bo_include_tail']}',
+$sql_common .= " bo_include_head     = '".$bo_include_head."',
+                bo_include_tail     = '".$bo_include_tail."',
                 bo_content_head     = '{$_POST['bo_content_head']}',
                 bo_content_tail     = '{$_POST['bo_content_tail']}',
                 bo_mobile_content_head     = '{$_POST['bo_mobile_content_head']}',
diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php
index 9904425b1..d344c4707 100644
--- a/adm/contentformupdate.php
+++ b/adm/contentformupdate.php
@@ -20,8 +20,11 @@ if ($w == "" || $w == "u")
     $co_row = sql_fetch($sql);
 }
 
+$co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255));
+$co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
+
 // 관리자가 자동등록방지를 사용해야 할 경우
-if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+if (($co_row['co_include_head'] !== $co_include_head || $co_row['co_include_tail'] !== $co_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
     include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
     if (!chk_captcha()) {
diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php
index df9153e9c..1072b765f 100644
--- a/adm/qa_config_update.php
+++ b/adm/qa_config_update.php
@@ -12,8 +12,11 @@ $error_msg = '';
 
 $qaconfig = get_qa_config();
 
+$qa_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_head, 0, 255));
+$qa_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_tail, 0, 255));
+
 // 관리자가 자동등록방지를 사용해야 할 경우
-if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+if ($board && ($qaconfig['qa_include_head'] !== $qa_include_head || $qaconfig['qa_include_tail'] !== $qa_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
     include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
     if (!chk_captcha()) {
diff --git a/adm/sms_admin/num_book_write.php b/adm/sms_admin/num_book_write.php
index 90f5b3bd7..2e05a4b67 100644
--- a/adm/sms_admin/num_book_write.php
+++ b/adm/sms_admin/num_book_write.php
@@ -43,12 +43,12 @@ include_once(G5_ADMIN_PATH."/admin.head.php");
 ?>
 
 <form name="book_form" id="book_form" method="post" action="./num_book_update.php">
-<input type="hidden" name="w" value="<?php echo $w?>">
-<input type="hidden" name="page" value="<?php echo $page?>">
-<input type="hidden" name="ap" value="<?php echo $ap?>">
+<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
+<input type="hidden" name="ap" value="<?php echo get_sanitize_input($ap); ?>">
 <input type="hidden" name="bk_no" value="<?php echo $write['bk_no']?>">
 <input type="hidden" name="mb_id" id="mb_id" value="<?php echo $write['mb_id']?>">
-<input type="hidden" name="get_bg_no" value="<?php echo $bg_no?>">
+<input type="hidden" name="get_bg_no" value="<?php echo get_sanitize_input($bg_no); ?>">
 
 <div class="tbl_frm01 tbl_wrap">
     <table>
@@ -187,14 +187,12 @@ function book_submit(){
                     if($check_msg.size()> 0)
                         $check_msg.remove();
 
-//                    $("#exist_msg").text("<?php echo $exist_msg_2; ?>");
                     is_submit = true;
                 } else {
                     if($check_msg.size() < 1)
                         $("input#bk_hp").after("<div id=\"hp_check_el\"><h3>이 번호를 쓰는 회원 정보</h3><ul></ul></div>");
 
                     $("#hp_check_el").find("ul").html( list_text );
-//                    $("#exist_msg").html("<?php echo $exist_msg_1 ?>");
 
                     if(confirm("회원 정보에 중복 휴대폰 번호가 있습니다.수정하실 경우 회원정보에 반영되지 않습니다.\n수정하시겠습니까?"))
                         is_submit = true;
diff --git a/bbs/formmail_send.php b/bbs/formmail_send.php
index 090209479..b36feed06 100644
--- a/bbs/formmail_send.php
+++ b/bbs/formmail_send.php
@@ -12,14 +12,13 @@ if (!$is_member && $config['cf_formmail_is_member'])
 $email_enc = new str_encrypt();
 $to = $email_enc->decrypt($to);
 
-if (substr_count($to, "@") > 1)
-    alert_close('한번에 한사람에게만 메일을 발송할 수 있습니다.');
-
-
 if (!chk_captcha()) {
     alert('자동등록방지 숫자가 틀렸습니다.');
 }
 
+if (!preg_match("/([0-9a-zA-Z_-]+)@([0-9a-zA-Z_-]+)\.([0-9a-zA-Z_-]+)/", $to)){
+    alert_close('E-mail 주소가 형식에 맞지 않아서, 메일을 보낼수 없습니다.');
+}
 
 $file = array();
 for ($i=1; $i<=$attach; $i++) {
diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
index 8dfa76b28..685dec86c 100644
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@@ -24,6 +24,10 @@ $url = clean_xss_tags($_GET['url']);
 // url 체크
 check_url_host($url, '', G5_URL, true);
 
+if( preg_match('#^/{3,}#', $url) ){
+    $url = preg_replace('#^/{3,}#', '/', $url);
+}
+
 $url = get_text($url);
 
 include_once($member_skin_path.'/member_confirm.skin.php');
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 084ffb16e..2da6faa4b 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3269,7 +3269,7 @@ class str_encrypt
     function __construct($salt='')
     {
         if(!$salt)
-            $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), G5_MYSQL_PASSWORD));
+            $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), $_SERVER['SERVER_SOFTWARE'].$_SERVER['DOCUMENT_ROOT']));
         else
             $this->salt = $salt;
 
@@ -3438,7 +3438,7 @@ function is_include_path_check($path='', $is_input='')
     if( $path ){
         if ($is_input){
 
-            if( stripos($path, 'php://') !== false || stripos($path, 'zlib://') !== false || stripos($path, 'bzip2://') !== false || stripos($path, 'zip://') !== false || stripos($path, 'data:text/') !== false || stripos($path, 'data://') !== false ){
+            if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){
                 return false;
             }
 
@@ -3478,7 +3478,7 @@ function is_include_path_check($path='', $is_input='')
                 return false;
             }
 
-            if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $path) ){
+            if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){
                 return false;
             }
         }