firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

[KVE-2025-0234] 관리자 XSS 취약점 수정

Browse Source
This commit is contained in:
2025-04-15 10:11:31 +09:00
parent 918ad48675
commit c5817594d0
12 changed files with 156 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
adm/admin.lib.php
View File

@ -554,9 +554,18 @@ function admin_check_xss_params($params)
if (is_array($value)) {
admin_check_xss_params($value);
} else if ((preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/(onload|onerror)=.*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || (preg_match('/(onload|onerror|focus)=.*/ius', $value) && preg_match('/(eval|expression|exec|prompt)(\s*)\((.*)\)/ius', $value))) {
} else if (
(preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/on[a-z]+=*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) ||
(preg_match('/(on[a-z]+|focus)=.*/ius', $value) && preg_match('/(eval|atob|fetch|expression|exec|prompt)(\s*)\((.*)\)/ius', $value))) {
alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.', G5_URL);
die();
} else if (preg_match('/atob\s*\(\s*[\'"]?([a-zA-Z0-9+\/=]+)[\'"]?\s*\)/ius', $value, $matches)) {
$decoded = base64_decode($matches[1], true);
if ($decoded && preg_match('/(eval|fetch|script|alert|settimeout|setinterval)/ius', $decoded)) {
// error_log("Base64 XSS 시도 감지: key=$key, decoded=$decoded, IP=" . $_SERVER['REMOTE_ADDR']);
alert('Base64로 인코딩된 위험한 스크립트가 발견되었습니다.', G5_URL);
die();
}
}
}

81
adm/config_form.php
View File

@ -1557,7 +1557,17 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
</table>
</div>
</section>
<div id="config_captcha_wrap" style="display:none">
<h2>캡챠입력</h2>
<?php
require_once G5_CAPTCHA_PATH . '/captcha.lib.php';
$captcha_html = captcha_html();
$captcha_js = chk_captcha_js();
echo $captcha_html;
?>
</div>
<div class="btn_fixed_top btn_confirm">
<input type="submit" value="확인" class="btn_submit btn" accesskey="s">
</div>
@ -1629,10 +1639,61 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
});
});
// 각 요소의 초기값 저장
var initialValues = {
cf_admin: $('#cf_admin').val(),
cf_analytics: $('#cf_analytics').val(),
cf_add_meta: $('#cf_add_meta').val(),
cf_add_script: $('#cf_add_script').val()
};
function check_config_captcha_open() {
var isChanged = false;
// 현재 값이 있는 경우에만 변경 여부 체크
if ($('#cf_admin').val()) {
isChanged = isChanged || $('#cf_admin').val() !== initialValues.cf_admin;
}
if ($('#cf_analytics').val()) {
isChanged = isChanged || $('#cf_analytics').val() !== initialValues.cf_analytics;
}
if ($('#cf_add_meta').val()) {
isChanged = isChanged || $('#cf_add_meta').val() !== initialValues.cf_add_meta;
}
if ($('#cf_add_script').val()) {
isChanged = isChanged || $('#cf_add_script').val() !== initialValues.cf_add_script;
}
var $wrap = $("#config_captcha_wrap"),
tooptipid = "mp_captcha_tooltip",
$p_text = $("<p>", {id:tooptipid, style:"font-size:0.95em;letter-spacing:-0.1em"}).html("중요정보를 수정할 경우 캡챠를 입력해야 합니다."),
$children = $wrap.children(':first'),
is_invisible_recaptcha = $("#captcha").hasClass("invisible_recaptcha");
if(isChanged){
$wrap.show();
if(! is_invisible_recaptcha) {
$wrap.css("margin-top","1em");
if(! $("#"+tooptipid).length){ $children.after($p_text) }
}
} else {
$wrap.hide();
if($("#"+tooptipid).length && ! is_invisible_recaptcha){ $children.next("#"+tooptipid).remove(); }
}
return isChanged;
}
function fconfigform_submit(f) {
var current_user_ip = "<?php echo $_SERVER['REMOTE_ADDR']; ?>";
var cf_intercept_ip_val = f.cf_intercept_ip.value;
if (check_config_captcha_open()){
jQuery("html, body").scrollTop(jQuery("#config_captcha_wrap").offset().top);
<?php echo $captcha_js; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함 ?>
}
if (cf_intercept_ip_val && current_user_ip) {
var cf_intercept_ips = cf_intercept_ip_val.split("\n");
@ -1653,6 +1714,22 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
f.action = "./config_form_update.php";
return true;
}
jQuery(function($){
$("#captcha_key").prop('required', false).removeAttr("required").removeClass("required");
// 최고관리자 변경시
$(document).on('change', '#cf_admin', check_config_captcha_open);
// 방문자분석 스크립트 변경시
$(document).on('input', '#cf_analytics', check_config_captcha_open);
// 추가 메타태그 변경시
$(document).on('input', '#cf_add_meta', check_config_captcha_open);
// 추가 script, css 변경시
$(document).on('input', '#cf_add_script', check_config_captcha_open);
});
</script>
<?php

34
adm/config_form_update.php
View File

@ -10,6 +10,9 @@ if ($is_admin != 'super') {
alert('최고관리자만 접근 가능합니다.');
}
$sql = " select * from {$g5['config_table']} limit 1";
$ori_config = sql_fetch($sql);
$cf_title = isset($_POST['cf_title']) ? strip_tags(clean_xss_attributes($_POST['cf_title'])) : '';
$cf_admin = isset($_POST['cf_admin']) ? clean_xss_tags($_POST['cf_admin'], 1, 1) : '';
@ -185,6 +188,33 @@ if (!$_POST['cf_cert_use']) {
$_POST['cf_cert_simple'] = '';
}
// 관리자가 자동등록방지를 사용해야 할 경우 ( 기본환경설정에서 최고관리자, 방문자분석 스크립트, 추가 메타태그, 추가 script, css 변경시 )
$check_captcha = 0;
if ($cf_admin && $ori_config['cf_admin'] !== $cf_admin) {
$check_captcha = 1;
}
if ($_POST['cf_analytics'] && $ori_config['cf_analytics'] !== stripslashes($_POST['cf_analytics'])) {
$check_captcha = 1;
}
if ($_POST['cf_add_meta'] && $ori_config['cf_add_meta'] !== stripslashes($_POST['cf_add_meta'])) {
$check_captcha = 1;
}
if ($_POST['cf_add_script'] && $ori_config['cf_add_script'] !== stripslashes($_POST['cf_add_script'])) {
$check_captcha = 1;
}
if ($check_captcha) {
include_once(G5_CAPTCHA_PATH . '/captcha.lib.php');
if (!chk_captcha()) {
alert('자동등록방지 숫자가 틀렸습니다.');
}
}
$sql = " update {$g5['config_table']}
set cf_title = '{$cf_title}',
cf_admin = '{$cf_admin}',
@ -346,6 +376,10 @@ if (isset($_POST['cf_bbs_rewrite'])) {
g5_delete_all_cache();
}
if (function_exists('get_admin_captcha_by')) {
get_admin_captcha_by('remove');
}
run_event('admin_config_form_update');
update_rewrite_rules();

2
adm/member_form_update.php
View File

@ -19,7 +19,7 @@ $mb_certify = isset($_POST['mb_certify']) ? preg_replace('/[^0-9a-z_]/i', ''
$mb_zip = isset($_POST['mb_zip']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['mb_zip']) : '';
// 관리자가 자동등록방지를 사용해야 할 경우 ( 회원의 비밀번호 변경시 캡챠를 체크한다 )
if ($mb_password && function_exists('get_admin_captcha_by') && get_admin_captcha_by()) {
if ($mb_password) {
include_once(G5_CAPTCHA_PATH . '/captcha.lib.php');
if (!chk_captcha()) {

14
adm/shop_admin/couponform.php
View File

@ -46,13 +46,13 @@ include_once(G5_PLUGIN_PATH.'/jquery-ui/datepicker.php');
?>
<form name="fcouponform" action="./couponformupdate.php" method="post" onsubmit="return form_check(this);">
<input type="hidden" name="w" value="<?php echo $w; ?>">
<input type="hidden" name="cp_id" value="<?php echo $cp_id; ?>">
<input type="hidden" name="sst" value="<?php echo $sst; ?>">
<input type="hidden" name="sod" value="<?php echo $sod; ?>">
<input type="hidden" name="sfl" value="<?php echo $sfl; ?>">
<input type="hidden" name="stx" value="<?php echo $stx; ?>">
<input type="hidden" name="page" value="<?php echo $page;?>">
<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>">
<input type="hidden" name="cp_id" value="<?php echo get_sanitize_input($cp_id); ?>">
<input type="hidden" name="sst" value="<?php echo get_sanitize_input($sst); ?>">
<input type="hidden" name="sod" value="<?php echo get_sanitize_input($sod); ?>">
<input type="hidden" name="sfl" value="<?php echo get_sanitize_input($sfl); ?>">
<input type="hidden" name="stx" value="<?php echo get_sanitize_input($stx); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page);?>">
<div class="tbl_frm01 tbl_wrap">
<table>

8
adm/shop_admin/itemsellrank.php
View File

@ -68,10 +68,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
</div>
<form name="flist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<label for="sel_ca_id" class="sound_only">검색대상</label>
<select name="sel_ca_id" id="sel_ca_id">

8
adm/shop_admin/itemstocklist.php
View File

@ -67,10 +67,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
</div>
<form name="flist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<label for="sel_ca_id" class="sound_only">분류선택</label>
<select name="sel_ca_id" id="sel_ca_id">

8
adm/shop_admin/itemstocksms.php
View File

@ -74,10 +74,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
</div>
<form name="flist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<label for="sel_field" class="sound_only">검색대상</label>
<select name="sel_field" id="sel_field">

4
adm/shop_admin/itemtypelist.php
View File

@ -85,8 +85,8 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
</div>
<form name="flist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<label for="sca" class="sound_only">분류선택</label>
<select name="sca" id="sca">

8
adm/shop_admin/optionstocklist.php
View File

@ -69,10 +69,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
</div>
<form name="flist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<label for="sel_ca_id" class="sound_only">분류선택</label>
<select name="sel_ca_id" id="sel_ca_id">

10
adm/shop_admin/orderlist.php
View File

@ -160,11 +160,11 @@ if( function_exists('pg_setting_check') ){
</div>
<form name="frmorderlist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="save_search" value="<?php echo $search; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<input type="hidden" name="save_search" value="<?php echo get_sanitize_input($search); ?>">
<label for="sel_field" class="sound_only">검색대상</label>
<select name="sel_field" id="sel_field">

4
adm/shop_admin/wishlist.php
View File

@ -58,8 +58,8 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
</div>
<form name="flist" class="local_sch01 local_sch">
<input type="hidden" name="doc" value="<?php echo $doc; ?>">
<input type="hidden" name="page" value="<?php echo $page; ?>">
<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<label for="sel_ca_id" class="sound_only">검색대상</label>
<select name="sel_ca_id" id="sel_ca_id">