From c0fcd3a1ed4462f6e1282bef42a4929e9882725b Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 14 May 2018 16:54:05 +0900
Subject: [PATCH] =?UTF-8?q?KVE-2018-0289,=200290,=200291,=200292,=200293?=
 =?UTF-8?q?=20=EC=98=81=EC=B9=B4=ED=8A=B8,=20=EA=B7=B8=EB=88=84=EB=B3=B4?=
 =?UTF-8?q?=EB=93=9C=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/admin.lib.php         | 12 +++++++
 adm/ajax.use_captcha.php  |  7 ++++
 adm/board_form.php        | 66 ++++++++++++++++++++++++++++++++++++
 adm/board_form_update.php | 12 +++++++
 adm/contentform.php       | 70 +++++++++++++++++++++++++++++++++++++++
 adm/contentformupdate.php | 40 ++++++++++++++++------
 adm/css/admin.css         |  9 +++++
 adm/qa_config.php         | 67 +++++++++++++++++++++++++++++++++++++
 adm/qa_config_update.php  | 14 ++++++++
 bbs/delete_comment.php    |  2 ++
 plugin/okname/hpcert1.php |  5 ++-
 plugin/okname/hpcert2.php |  5 ++-
 12 files changed, 296 insertions(+), 13 deletions(-)
 create mode 100644 adm/ajax.use_captcha.php

diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index 80abc95f0..48baae0fd 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -355,6 +355,18 @@ function get_admin_token()
     return $token;
 }
 
+// 관리자가 자동등록방지를 사용해야 할 경우
+function get_admin_captcha_by($type='get'){
+    
+    $captcha_name = 'ss_admin_use_captcha';
+
+    if($type === 'remove'){
+        set_session($captcha_name, '');
+    }
+
+    return get_session($captcha_name);
+}
+
 //input value 에서 xss 공격 filter 역할을 함 ( 반드시 input value='' 타입에만 사용할것 )
 function get_sanitize_input($s, $is_html=false){
 
diff --git a/adm/ajax.use_captcha.php b/adm/ajax.use_captcha.php
new file mode 100644
index 000000000..8f7de32b1
--- /dev/null
+++ b/adm/ajax.use_captcha.php
@@ -0,0 +1,7 @@
+<?php
+include_once('./_common.php');
+
+if( isset($_POST['admin_use_captcha']) ){
+    set_session('ss_admin_use_captcha', true);
+}
+?>
\ No newline at end of file
diff --git a/adm/board_form.php b/adm/board_form.php
index d32c8f287..ec6a2e1df 100644
--- a/adm/board_form.php
+++ b/adm/board_form.php
@@ -850,6 +850,22 @@ $pg_anchor = '<ul class="anchor">
                 <label for="chk_all_include_tail">전체적용</label>
             </td>
         </tr>
+        <tr id="admin_captcha_box" style="display:none;">
+            <th scope="row">자동등록방지</th>
+            <td>
+                <?php
+                echo help("파일 경로를 입력 또는 수정시 캡챠를 반드시 입력해야 합니다.");
+
+                include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+                $captcha_html = captcha_html();
+                $captcha_js   = chk_captcha_js();
+                echo $captcha_html;
+                ?>
+                <script>
+                jQuery("#captcha_key").removeAttr("required").removeClass("required");
+                </script>
+            </td>
+        </tr>
         <tr>
             <th scope="row"><label for="bo_content_head">상단 내용</label></th>
             <td>
@@ -1310,6 +1326,52 @@ function set_point(f) {
     }
 }
 
+var captcha_chk = false;
+
+function use_captcha_check(){
+    $.ajax({
+        type: "POST",
+        url: g5_admin_url+"/ajax.use_captcha.php",
+        data: { admin_use_captcha: "1" },
+        cache: false,
+        async: false,
+        dataType: "json",
+        success: function(data) {
+        }
+    });
+}
+
+function frm_check_file(){
+    var bo_include_head = "<?php echo $board['bo_include_head']; ?>";
+    var bo_include_tail = "<?php echo $board['bo_include_tail']; ?>";
+    var head = jQuery.trim(jQuery("#bo_include_head").val());
+    var tail = jQuery.trim(jQuery("#bo_include_tail").val());
+
+    if(bo_include_head !== head || bo_include_tail !== tail){
+        // 캡챠를 사용합니다.
+        jQuery("#admin_captcha_box").show();
+        captcha_chk = true;
+
+        use_captcha_check();
+
+        return false;
+    } else {
+        jQuery("#admin_captcha_box").hide();
+    }
+
+    return true;
+}
+
+jQuery(function($){
+    if( window.self !== window.top ){   // frame 또는 iframe을 사용할 경우 체크
+        $("#bo_include_head, #bo_include_tail").on("change paste keyup", function(e) {
+            frm_check_file();
+        });
+
+        use_captcha_check();
+    }
+});
+
 function fboardform_submit(f)
 {
     <?php echo get_editor_js("bo_content_head"); ?>
@@ -1329,6 +1391,10 @@ function fboardform_submit(f)
         return false;
     }
 
+    if( captcha_chk ) {
+        <?php echo isset($captcha_js) ? $captcha_js : ''; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함  ?>
+    }
+
     return true;
 }
 </script>
diff --git a/adm/board_form_update.php b/adm/board_form_update.php
index 2f4816af6..b7e56ef8c 100644
--- a/adm/board_form_update.php
+++ b/adm/board_form_update.php
@@ -17,6 +17,15 @@ if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); }
 $_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255));
 $_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255));
 
+// 관리자가 자동등록방지를 사용해야 할 경우
+if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+    include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+
+    if (!chk_captcha()) {
+        alert('자동등록방지 숫자가 틀렸습니다.');
+    }
+}
+
 if ($file = $_POST['bo_include_head']) {
     $file_ext = pathinfo($file, PATHINFO_EXTENSION);
 
@@ -426,5 +435,8 @@ if ($all_fields) {
 
 delete_cache_latest($bo_table);
 
+if(function_exists('get_admin_captcha_by'))
+    get_admin_captcha_by('remove');
+
 goto_url("./board_form.php?w=u&bo_table={$bo_table}&amp;{$qstr}");
 ?>
diff --git a/adm/contentform.php b/adm/contentform.php
index 2d9d77565..024a17615 100644
--- a/adm/contentform.php
+++ b/adm/contentform.php
@@ -126,6 +126,22 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
             <input type="text" name="co_include_tail" value="<?php echo $co['co_include_tail']; ?>" id="co_include_tail" class="frm_input" size="60">
         </td>
     </tr>
+    <tr id="admin_captcha_box" style="display:none;">
+        <th scope="row">자동등록방지</th>
+        <td>
+            <?php
+            echo help("파일 경로를 입력 또는 수정시 캡챠를 반드시 입력해야 합니다.");
+
+            include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+            $captcha_html = captcha_html();
+            $captcha_js   = chk_captcha_js();
+            echo $captcha_html;
+            ?>
+            <script>
+            jQuery("#captcha_key").removeAttr("required").removeClass("required");
+            </script>
+        </td>
+    </tr>
     <tr>
         <th scope="row"><label for="co_himg">상단이미지</label></th>
         <td>
@@ -185,7 +201,56 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
 
 </form>
 
+<?php
+// [KVE-2018-2089] 취약점 으로 인해 파일 경로 수정시에만 자동등록방지 코드 사용
+?>
 <script>
+var captcha_chk = false;
+
+function use_captcha_check(){
+    $.ajax({
+        type: "POST",
+        url: g5_admin_url+"/ajax.use_captcha.php",
+        data: { admin_use_captcha: "1" },
+        cache: false,
+        async: false,
+        dataType: "json",
+        success: function(data) {
+        }
+    });
+}
+
+function frm_check_file(){
+    var co_include_head = "<?php echo $co['co_include_head']; ?>";
+    var co_include_tail = "<?php echo $co['co_include_tail']; ?>";
+    var head = jQuery.trim(jQuery("#co_include_head").val());
+    var tail = jQuery.trim(jQuery("#co_include_tail").val());
+
+    if(co_include_head !== head || co_include_tail !== tail){
+        // 캡챠를 사용합니다.
+        jQuery("#admin_captcha_box").show();
+        captcha_chk = true;
+
+        use_captcha_check();
+
+        return false;
+    } else {
+        jQuery("#admin_captcha_box").hide();
+    }
+
+    return true;
+}
+
+jQuery(function($){
+    if( window.self !== window.top ){   // frame 또는 iframe을 사용할 경우 체크
+        $("#co_include_head, #co_include_tail").on("change paste keyup", function(e) {
+            frm_check_file();
+        });
+
+        use_captcha_check();
+    }
+});
+
 function frmcontentform_check(f)
 {
     errmsg = "";
@@ -204,6 +269,11 @@ function frmcontentform_check(f)
         errfld.focus();
         return false;
     }
+    
+    if( captcha_chk ) {
+        <?php echo $captcha_js; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함  ?>
+    }
+
     return true;
 }
 </script>
diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php
index fa6a6048b..753c5e4bf 100644
--- a/adm/contentformupdate.php
+++ b/adm/contentformupdate.php
@@ -12,6 +12,23 @@ else
 
 check_admin_token();
 
+if ($w == "" || $w == "u")
+{
+    if(preg_match("/[^a-z0-9_]/i", $co_id)) alert("ID 는 영문자, 숫자, _ 만 가능합니다.");
+
+    $sql = " select * from {$g5['content_table']} where co_id = '$co_id' ";
+    $co_row = sql_fetch($sql);
+}
+
+// 관리자가 자동등록방지를 사용해야 할 경우
+if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+    include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+
+    if (!chk_captcha()) {
+        alert('자동등록방지 숫자가 틀렸습니다.');
+    }
+}
+
 @mkdir(G5_DATA_PATH."/content", G5_DIR_PERMISSION);
 @chmod(G5_DATA_PATH."/content", G5_DIR_PERMISSION);
 
@@ -21,17 +38,19 @@ if ($co_timg_del)  @unlink(G5_DATA_PATH."/content/{$co_id}_t");
 $error_msg = '';
 
 if( $co_include_head ){
-    $purl = parse_url($co_include_head);
-    $file = $purl['path'];
-    if (!preg_match("/\.(php|htm['l']?)$/i", $file)) {
+
+    $file_ext = pathinfo($co_include_head, PATHINFO_EXTENSION);
+
+    if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) ) {
         alert('상단 파일 경로의 확장자는 php, html 만 허용합니다.');
     }
 }
 
 if( $co_include_tail ){
-    $purl = parse_url($co_include_tail);
-    $file = $purl['path'];
-    if (!preg_match("/\.(php|htm['l']?)$/i", $file)) {
+
+    $file_ext = pathinfo($co_include_tail, PATHINFO_EXTENSION);
+
+    if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) ) {
         alert('하단 파일 경로의 확장자는 php, html 만 허용합니다.');
     }
 }
@@ -58,11 +77,7 @@ $sql_common = " co_include_head     = '$co_include_head',
 
 if ($w == "")
 {
-    //if(eregi("[^a-z0-9_]", $co_id)) alert("ID 는 영문자, 숫자, _ 만 가능합니다.");
-    if(preg_match("/[^a-z0-9_]/i", $co_id)) alert("ID 는 영문자, 숫자, _ 만 가능합니다.");
-
-    $sql = " select co_id from {$g5['content_table']} where co_id = '$co_id' ";
-    $row = sql_fetch($sql);
+    $row = $co_row;
     if ($row['co_id'])
         alert("이미 같은 ID로 등록된 내용이 있습니다.");
 
@@ -87,6 +102,9 @@ else if ($w == "d")
     sql_query($sql);
 }
 
+if(function_exists('get_admin_captcha_by'))
+    get_admin_captcha_by('remove');
+
 if ($w == "" || $w == "u")
 {
     if ($_FILES['co_himg']['name'])
diff --git a/adm/css/admin.css b/adm/css/admin.css
index 0604c4f5f..5b31afdc1 100644
--- a/adm/css/admin.css
+++ b/adm/css/admin.css
@@ -685,6 +685,15 @@ box-shadow: 2px 2px 3px 0px rgba(0,0,0,0.2);}
 .sevice_2 .svc_design{overflow:hidden;height:210px;position:relative}
 .sevice_2 .svc_design .svc_btn a{margin:0 0 20px}
 
+/* 캡챠 */
+#captcha {display:inline-block;position:relative}
+#captcha legend {position:absolute;margin:0;padding:0;font-size:0;line-height:0;text-indent:-9999em;overflow:hidden;}
+#captcha #captcha_img {;height:40px;border:1px solid #898989;vertical-align:top;padding:0;margin:0}
+#captcha #captcha_mp3 {;margin:0;padding:0;width:40px;height:40px;border:0;background:transparent;vertical-align:middle;overflow:hidden;cursor:pointer;background:url('../../img/captcha2.png') no-repeat;text-indent:-999px;border-radius:3px}
+#captcha #captcha_reload {margin:0;padding:0;width:40px;height:40px;border:0;background:transparent;vertical-align:middle;overflow:hidden;cursor:pointer;background:url('../../img/captcha2.png') no-repeat  0 -40px;text-indent:-999px;border-radius:3px}
+#captcha #captcha_key {margin:0 0 0 3px;padding:0 5px;width:90px;height:40px;border:1px solid #ccc;background:#fff;font-size:1.333em;font-weight:bold;text-align:center;border-radius:3px;vertical-align:top}
+#captcha #captcha_info {display:block;margin:5px 0 0;font-size:0.95em;letter-spacing:-0.1em}
+
 /*테마*/
 .theme_p{margin:0 0 10px }
 #theme_list{padding:0;margin:0;list-style:none;  width: 1000px;position:relative}
diff --git a/adm/qa_config.php b/adm/qa_config.php
index d07e03264..312dcd8cd 100644
--- a/adm/qa_config.php
+++ b/adm/qa_config.php
@@ -263,6 +263,22 @@ if(!isset($qaconfig['qa_include_head'])) {
                 <input type="text" name="qa_include_tail" value="<?php echo $qaconfig['qa_include_tail'] ?>" id="qa_include_tail" class="frm_input" size="50">
             </td>
         </tr>
+        <tr id="admin_captcha_box" style="display:none;">
+            <th scope="row">자동등록방지</th>
+            <td>
+                <?php
+                echo help("파일 경로를 입력 또는 수정시 캡챠를 반드시 입력해야 합니다.");
+
+                include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+                $captcha_html = captcha_html();
+                $captcha_js   = chk_captcha_js();
+                echo $captcha_html;
+                ?>
+                <script>
+                jQuery("#captcha_key").removeAttr("required").removeClass("required");
+                </script>
+            </td>
+        </tr>
         <tr>
             <th scope="row"><label for="qa_content_head">상단 내용</label></th>
             <td>
@@ -316,6 +332,53 @@ if(!isset($qaconfig['qa_include_head'])) {
 </form>
 
 <script>
+
+var captcha_chk = false;
+
+function use_captcha_check(){
+    $.ajax({
+        type: "POST",
+        url: g5_admin_url+"/ajax.use_captcha.php",
+        data: { admin_use_captcha: "1" },
+        cache: false,
+        async: false,
+        dataType: "json",
+        success: function(data) {
+        }
+    });
+}
+
+function frm_check_file(){
+    var qa_include_head = "<?php echo $qaconfig['qa_include_head']; ?>";
+    var qa_include_tail = "<?php echo $qaconfig['qa_include_tail']; ?>";
+    var head = jQuery.trim(jQuery("#qa_include_head").val());
+    var tail = jQuery.trim(jQuery("#qa_include_tail").val());
+
+    if(qa_include_head !== head || qa_include_tail !== tail){
+        // 캡챠를 사용합니다.
+        jQuery("#admin_captcha_box").show();
+        captcha_chk = true;
+
+        use_captcha_check();
+
+        return false;
+    } else {
+        jQuery("#admin_captcha_box").hide();
+    }
+
+    return true;
+}
+
+jQuery(function($){
+    if( window.self !== window.top ){   // frame 또는 iframe을 사용할 경우 체크
+        $("#qa_include_head, #qa_include_tail").on("change paste keyup", function(e) {
+            frm_check_file();
+        });
+
+        use_captcha_check();
+    }
+});
+
 function fqaconfigform_submit(f)
 {
     <?php echo get_editor_js("qa_content_head"); ?>
@@ -323,6 +386,10 @@ function fqaconfigform_submit(f)
     <?php echo get_editor_js("qa_mobile_content_head"); ?>
     <?php echo get_editor_js("qa_mobile_content_tail"); ?>
 
+    if( captcha_chk ) {
+        <?php echo isset($captcha_js) ? $captcha_js : ''; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함  ?>
+    }
+
     f.action = "./qa_config_update.php";
     return true;
 }
diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php
index b56dc1f47..a472f7c6c 100644
--- a/adm/qa_config_update.php
+++ b/adm/qa_config_update.php
@@ -10,6 +10,17 @@ check_admin_token();
 
 $error_msg = '';
 
+$qaconfig = get_qa_config();
+
+// 관리자가 자동등록방지를 사용해야 할 경우
+if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+    include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
+
+    if (!chk_captcha()) {
+        alert('자동등록방지 숫자가 틀렸습니다.');
+    }
+}
+
 if( $qa_include_head ){
     $file_ext = pathinfo($qa_include_head, PATHINFO_EXTENSION);
 
@@ -75,6 +86,9 @@ $sql = " update {$g5['qa_config_table']}
                 qa_5                    = '{$_POST['qa_5']}' ";
 sql_query($sql);
 
+if(function_exists('get_admin_captcha_by'))
+    get_admin_captcha_by('remove');
+
 if($error_msg){
     alert($error_msg, './qa_config.php');
 } else {
diff --git a/bbs/delete_comment.php b/bbs/delete_comment.php
index 326ef71e5..6b4929f63 100644
--- a/bbs/delete_comment.php
+++ b/bbs/delete_comment.php
@@ -2,6 +2,8 @@
 // 코멘트 삭제
 include_once('./_common.php');
 
+$comment_id = (int) $comment_id;
+
 $delete_comment_token = get_session('ss_delete_comment_'.$comment_id.'_token');
 set_session('ss_delete_comment_'.$comment_id.'_token', '');
 
diff --git a/plugin/okname/hpcert1.php b/plugin/okname/hpcert1.php
index e4bdbaff3..97e856421 100644
--- a/plugin/okname/hpcert1.php
+++ b/plugin/okname/hpcert1.php
@@ -4,8 +4,11 @@ include_once('./_common.php');
 // 금일 인증시도 회수 체크
 certify_count_check($member['mb_id'], 'hp');
 
-include_once('./hpcert.config.php');
+//include_once('./hpcert.config.php');
 
+// KISA 취약점 내용(KVE-2018-0291) hpcert1.php의 $cmd 함수에 대한 인자 값은 hpcert_config.php 파일에서 설정되나, 이를 다른 페이지에서 포함한 뒤 호출할 시 임의 값 설정 가능
+// 이에 include_once 를 include 로 수정함
+include('./hpcert.config.php');
 /**************************************************************************
 okname 실행
 **************************************************************************/
diff --git a/plugin/okname/hpcert2.php b/plugin/okname/hpcert2.php
index cb8319db5..5788cb46b 100644
--- a/plugin/okname/hpcert2.php
+++ b/plugin/okname/hpcert2.php
@@ -1,7 +1,10 @@
 <?php
 include_once('./_common.php');
-include_once('./hpcert.config.php');
+//include_once('./hpcert.config.php');
 
+// KISA 취약점 내용(KVE-2018-0291) hpcert1.php의 $cmd 함수에 대한 인자 값은 hpcert_config.php 파일에서 설정되나, 이를 다른 페이지에서 포함한 뒤 호출할 시 임의 값 설정 가능
+// 이에 include_once 를 include 로 수정함
+include('./hpcert.config.php');
 /**************************************************************************
     파일명 : safe_hs_cert3.php