From 42273561089bc3b45fc4851ea05a54693a9235e3 Mon Sep 17 00:00:00 2001 From: thisgun Date: Wed, 6 Mar 2019 18:00:32 +0900 Subject: [PATCH 1/7] =?UTF-8?q?[KVE-2019-0335,=200344=20=EB=8B=A4=EC=A4=91?= =?UTF-8?q?=20=EC=B7=A8=EC=95=BD=EC=A0=90]=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_form_update.php | 9 ++++++--- bbs/alert.php | 3 +-- bbs/confirm.php | 12 +++++++++--- lib/common.lib.php | 15 +++++++++++++-- plugin/okname/hpcert1.php | 6 ++++-- plugin/okname/hpcert2.php | 5 ++++- plugin/okname/ipin.config.php | 1 + plugin/okname/ipin1.php | 4 ++++ plugin/okname/ipin2.php | 7 ++++++- 9 files changed, 48 insertions(+), 14 deletions(-) diff --git a/adm/board_form_update.php b/adm/board_form_update.php index 2222baadb..497d1df01 100644 --- a/adm/board_form_update.php +++ b/adm/board_form_update.php @@ -9,7 +9,10 @@ auth_check($auth[$sub_menu], 'w'); check_admin_token(); -if (!$_POST['gr_id']) { alert('그룹 ID는 반드시 선택하세요.'); } +$gr_id = isset($_POST['gr_id']) ? preg_replace('/[^a-z0-9_]/i', '', $_POST['gr_id']) : ''; +$bo_admin = isset($_POST['bo_admin']) ? preg_replace('/[^a-z0-9_\, \|\#]/i', '', $_POST['bo_admin']) : ''; + +if (!$gr_id) { alert('그룹 ID는 반드시 선택하세요.'); } if (!$bo_table) { alert('게시판 TABLE명은 반드시 입력하세요.'); } if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); } if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); } @@ -75,11 +78,11 @@ $str_bo_category_list = isset($_POST['bo_category_list']) ? preg_replace("/[\<\> $_POST['bo_subject'] = strip_tags($_POST['bo_subject']); $_POST['bo_mobile_subject'] = strip_tags($_POST['bo_mobile_subject']); -$sql_common = " gr_id = '{$_POST['gr_id']}', +$sql_common = " gr_id = '{$gr_id}', bo_subject = '{$_POST['bo_subject']}', bo_mobile_subject = '{$_POST['bo_mobile_subject']}', bo_device = '{$_POST['bo_device']}', - bo_admin = '{$_POST['bo_admin']}', + bo_admin = '{$bo_admin}', bo_list_level = '{$_POST['bo_list_level']}', bo_read_level = '{$_POST['bo_read_level']}', bo_write_level = '{$_POST['bo_write_level']}', diff --git a/bbs/alert.php b/bbs/alert.php index 1d74ad4b4..fbac90876 100644 --- a/bbs/alert.php +++ b/bbs/alert.php @@ -35,6 +35,7 @@ $url = clean_xss_tags($url); if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']); $url = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", $url); +$url = preg_replace('/\r\n|\r|\n|[^\x20-\x7e]/','', $url); // url 체크 check_url_host($url, $msg); @@ -48,11 +49,9 @@ if($error) { diff --git a/bbs/confirm.php b/bbs/confirm.php index a80f5eab1..5e71c009a 100644 --- a/bbs/confirm.php +++ b/bbs/confirm.php @@ -2,9 +2,15 @@ include_once('./_common.php'); include_once(G5_PATH.'/head.sub.php'); -$url1 = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", clean_xss_tags($url1)); -$url2 = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", clean_xss_tags($url2)); -$url3 = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", clean_xss_tags($url3)); +$pattern1 = "/[\<\>\'\"\\\'\\\"\(\)]/"; +$pattern2 = "/\r\n|\r|\n|[^\x20-\x7e]/"; + +$url1 = preg_replace($pattern1, "", clean_xss_tags($url1)); +$url1 = preg_replace($pattern2, "", $url1); +$url2 = preg_replace($pattern1, "", clean_xss_tags($url2)); +$url2 = preg_replace($pattern2, "", $url2); +$url3 = preg_replace($pattern1, "", clean_xss_tags($url3)); +$url3 = preg_replace($pattern2, "", $url3); // url 체크 check_url_host($url1); diff --git a/lib/common.lib.php b/lib/common.lib.php index 80552e574..d4197e468 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3488,7 +3488,7 @@ function get_call_func_cache($func, $args=array()){ return $result; } -// include 하는 경로에 data file 경로가 포함되어 있는지 체크합니다. +// include 하는 경로에 data file 경로나 안전하지 않은 경로가 있는지 체크합니다. function is_include_path_check($path='', $is_input='') { if( $path ){ @@ -3499,6 +3499,14 @@ function is_include_path_check($path='', $is_input='') if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){ return false; } + + $replace_path = str_replace('\\', '/', $path); + $slash_count = substr_count(str_replace('\\', '/', $_SERVER['SCRIPT_NAME']), '/'); + $peer_count = substr_count($replace_path, '../'); + + if ( $peer_count && $peer_count > $slash_count ){ + return false; + } try { // whether $path is unix or not @@ -3536,7 +3544,10 @@ function is_include_path_check($path='', $is_input='') return false; } - if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){ + if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $replace_path) ){ + return false; + } + if( preg_match('/\.\.\//i', $replace_path) && preg_match('/plugin\//i', $replace_path) && preg_match('/okname\//i', $replace_path) ){ return false; } } diff --git a/plugin/okname/hpcert1.php b/plugin/okname/hpcert1.php index 97e856421..45c64bd8f 100644 --- a/plugin/okname/hpcert1.php +++ b/plugin/okname/hpcert1.php @@ -1,11 +1,13 @@ Date: Thu, 7 Mar 2019 11:35:46 +0900 Subject: [PATCH 2/7] =?UTF-8?q?kcb=20=EB=B3=B8=EC=9D=B8=ED=99=95=EC=9D=B8?= =?UTF-8?q?=20=EC=98=A4=ED=83=80=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/config_form.php | 4 ++++ plugin/okname/hpcert2.php | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/adm/config_form.php b/adm/config_form.php index f08a9d94c..1193a7b7f 100644 --- a/adm/config_form.php +++ b/adm/config_form.php @@ -1419,6 +1419,10 @@ if($config['cf_cert_use']) { } echo module_exec_check($exe, 'okname'); + + if(is_dir(G5_OKNAME_PATH.'/log') && is_writable(G5_OKNAME_PATH.'/log') && function_exists('check_log_folder') ) { + check_log_folder(G5_OKNAME_PATH.'/log'); + } } // kcp일 때 diff --git a/plugin/okname/hpcert2.php b/plugin/okname/hpcert2.php index 1d3441e11..e28d03d45 100644 --- a/plugin/okname/hpcert2.php +++ b/plugin/okname/hpcert2.php @@ -109,7 +109,7 @@ $phone_no = hyphen_hp_number($req_num); $sql = " select mb_id from {$g5['member_table']} where mb_id <> '{$member['mb_id']}' and mb_dupinfo = '{$mb_dupinfo}' "; $row = sql_fetch($sql); if ($row['mb_id']) { - alert_close("입력하신 본인학인 정보로 가입된 내역이 존재합니다.\\n회원아이디 : ".$row['mb_id']); + alert_close("입력하신 본인확인 정보로 가입된 내역이 존재합니다.\\n회원아이디 : ".$row['mb_id']); } // hash 데이터 From 05f1e718e126ed3d90b6bb6ceda228064058bff8 Mon Sep 17 00:00:00 2001 From: thisgun Date: Thu, 7 Mar 2019 16:20:06 +0900 Subject: [PATCH 3/7] =?UTF-8?q?=EA=B2=8C=EC=8B=9C=EB=AC=BC=EC=97=90?= =?UTF-8?q?=EC=84=9C=20=ED=8E=98=EC=9D=B4=EC=8A=A4=EB=B6=81=20=EC=98=81?= =?UTF-8?q?=EC=83=81=20=EC=A0=84=EC=B2=B4=ED=99=94=EB=A9=B4=EC=9D=B4=20?= =?UTF-8?q?=EA=B0=80=EB=8A=A5=ED=95=98=EB=8F=84=EB=A1=9D=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- plugin/htmlpurifier/extend.video.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/plugin/htmlpurifier/extend.video.php b/plugin/htmlpurifier/extend.video.php index 96cb5b846..24ef7c8de 100644 --- a/plugin/htmlpurifier/extend.video.php +++ b/plugin/htmlpurifier/extend.video.php @@ -24,6 +24,7 @@ if( !class_exists('HTMLPurifier_Filter_Iframevideo') ){ if (strstr($html, ']*>(.*?)?\/iframe>/i', array($this, 'trust_url_match'), $html); $html = preg_replace_callback('/]*>(.*?)?\/iframe>/i', array($this, 'trust_url_match'), $html); + $html = preg_replace_callback('/]*>(.*?)?\/iframe>/i', array($this, 'trust_url_match'), $html); //$html = preg_replace('##i', '', $html); } @@ -62,9 +63,10 @@ if( !class_exists('HTMLPurifier_Filter_Iframevideo') ){ // Domain Whitelist $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]); $vimeoMatch = preg_match('#src="https?://player.vimeo.com/#i', $matches[1]); - if ($youTubeMatch || $vimeoMatch) { + $fackbookMatch = preg_match('#src="https?://www.facebook.com/#i', $matches[1]); + if ($youTubeMatch || $vimeoMatch || $fackbookMatch) { $extra = ' frameborder="0"'; - if ($youTubeMatch) { + if ($youTubeMatch || $fackbookMatch) { $extra .= ' allowfullscreen'; } elseif ($vimeoMatch) { $extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen'; From a870fe3777d98da60540ab5e7b6e272e0b3e8de2 Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 8 Mar 2019 17:37:10 +0900 Subject: [PATCH 4/7] =?UTF-8?q?=EC=B5=9C=EC=8B=A0=EA=B8=80=20css=20?= =?UTF-8?q?=EC=98=A4=ED=83=80=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- skin/latest/basic/style.css | 2 +- theme/basic/skin/latest/basic/style.css | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/skin/latest/basic/style.css b/skin/latest/basic/style.css index 8fb71ebde..efe1e874f 100644 --- a/skin/latest/basic/style.css +++ b/skin/latest/basic/style.css @@ -6,7 +6,7 @@ .lat .lat_title a{color:#253dbe;display:inline-block;position:relative} .lat .lat_title a:after{position:absolute;bottom:-1px;left:0;width:100%;height:2px;background:#253dbe;content:''} .lat ul{padding:15px 20px} -.lat li {position:relative;line-height:18px;padding:3px 0;padding-right:50px;padding-left:10px;position:relative} +.lat li {position:relative;line-height:18px;padding:3px 0;padding-right:50px;padding-left:10px} .lat li:before{position: absolute;top: 12px;left: 0px;width: 4px;height: 4px;background: #aaa;content: '';border-radius: 50%;} .lat li a:hover{color:#a22121} .lat li .fa-heart{color:#ff0000;} diff --git a/theme/basic/skin/latest/basic/style.css b/theme/basic/skin/latest/basic/style.css index 8fb71ebde..efe1e874f 100644 --- a/theme/basic/skin/latest/basic/style.css +++ b/theme/basic/skin/latest/basic/style.css @@ -6,7 +6,7 @@ .lat .lat_title a{color:#253dbe;display:inline-block;position:relative} .lat .lat_title a:after{position:absolute;bottom:-1px;left:0;width:100%;height:2px;background:#253dbe;content:''} .lat ul{padding:15px 20px} -.lat li {position:relative;line-height:18px;padding:3px 0;padding-right:50px;padding-left:10px;position:relative} +.lat li {position:relative;line-height:18px;padding:3px 0;padding-right:50px;padding-left:10px} .lat li:before{position: absolute;top: 12px;left: 0px;width: 4px;height: 4px;background: #aaa;content: '';border-radius: 50%;} .lat li a:hover{color:#a22121} .lat li .fa-heart{color:#ff0000;} From a844347c4cb9f1b39838bc21e2014d0b38e4f163 Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 12 Mar 2019 12:06:45 +0900 Subject: [PATCH 5/7] =?UTF-8?q?KVE-2019-0556,=200566=20=EC=B7=A8=EC=95=BD?= =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_form.php | 2 +- bbs/write.php | 2 +- common.php | 30 ++++++++++++++++-------------- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/adm/board_form.php b/adm/board_form.php index d71dccbfd..509b29712 100644 --- a/adm/board_form.php +++ b/adm/board_form.php @@ -918,7 +918,7 @@ $pg_anchor = '
    - + diff --git a/bbs/write.php b/bbs/write.php index 7722f3456..94cece956 100644 --- a/bbs/write.php +++ b/bbs/write.php @@ -362,7 +362,7 @@ if (isset($write['wr_subject'])) { $content = ''; if ($w == '') { - $content = $board['bo_insert_content']; + $content = html_purifier($board['bo_insert_content']); } else if ($w == 'r') { if (!strstr($write['wr_option'], 'html')) { $content = "\n\n\n > " diff --git a/common.php b/common.php index c24c56e07..542a80dae 100644 --- a/common.php +++ b/common.php @@ -29,20 +29,22 @@ for ($i=0; $i<$ext_cnt; $i++) { function g5_path() { - $chroot = substr($_SERVER['SCRIPT_FILENAME'], 0, strpos($_SERVER['SCRIPT_FILENAME'], dirname(__FILE__))); - $result['path'] = str_replace('\\', '/', $chroot.dirname(__FILE__)); - $tilde_remove = preg_replace('/^\/\~[^\/]+(.*)$/', '$1', $_SERVER['SCRIPT_NAME']); - $document_root = str_replace($tilde_remove, '', $_SERVER['SCRIPT_FILENAME']); - $pattern = '/' . preg_quote($document_root, '/') . '/i'; - $root = preg_replace($pattern, '', $result['path']); - $port = ($_SERVER['SERVER_PORT'] == 80 || $_SERVER['SERVER_PORT'] == 443) ? '' : ':'.$_SERVER['SERVER_PORT']; - $http = 'http' . ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') ? 's' : '') . '://'; - $user = str_replace(preg_replace($pattern, '', $_SERVER['SCRIPT_FILENAME']), '', $_SERVER['SCRIPT_NAME']); - $host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']; - if(isset($_SERVER['HTTP_HOST']) && preg_match('/:[0-9]+$/', $host)) - $host = preg_replace('/:[0-9]+$/', '', $host); - $host = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\/\^\*]/", '', $host); - $result['url'] = $http.$host.$port.$user.$root; + $chroot = substr($_SERVER['SCRIPT_FILENAME'], 0, strpos($_SERVER['SCRIPT_FILENAME'], dirname(__FILE__))); + $result['path'] = str_replace('\\', '/', $chroot.dirname(__FILE__)); + $server_script_name = preg_replace('/\/+/', '/', str_replace('\\', '/', $_SERVER['SCRIPT_NAME'])); + $server_script_filename = preg_replace('/\/+/', '/', str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME'])); + $tilde_remove = preg_replace('/^\/\~[^\/]+(.*)$/', '$1', $server_script_name); + $document_root = str_replace($tilde_remove, '', $server_script_filename); + $pattern = '/' . preg_quote($document_root, '/') . '/i'; + $root = preg_replace($pattern, '', $result['path']); + $port = ($_SERVER['SERVER_PORT'] == 80 || $_SERVER['SERVER_PORT'] == 443) ? '' : ':'.$_SERVER['SERVER_PORT']; + $http = 'http' . ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') ? 's' : '') . '://'; + $user = str_replace(preg_replace($pattern, '', $server_script_filename), '', $server_script_name); + $host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']; + if(isset($_SERVER['HTTP_HOST']) && preg_match('/:[0-9]+$/', $host)) + $host = preg_replace('/:[0-9]+$/', '', $host); + $host = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\/\^\*]/", '', $host); + $result['url'] = $http.$host.$port.$user.$root; return $result; } From 896444ce1a27c7f56f883e23d18664bd37797049 Mon Sep 17 00:00:00 2001 From: thisgun Date: Wed, 13 Mar 2019 09:40:10 +0900 Subject: [PATCH 6/7] =?UTF-8?q?=EA=B2=8C=EC=8B=9C=ED=8C=90=20=EB=B3=B5?= =?UTF-8?q?=EC=82=AC,=20=EC=9D=B4=EB=8F=99=20=EC=BD=94=EB=93=9C=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/move_update.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bbs/move_update.php b/bbs/move_update.php index d956ff0d7..92a5e2d18 100644 --- a/bbs/move_update.php +++ b/bbs/move_update.php @@ -196,8 +196,10 @@ if ($sw == 'move') { for ($i=0; $i Date: Tue, 19 Mar 2019 11:21:48 +0900 Subject: [PATCH 7/7] =?UTF-8?q?5.3.2.8=20=EB=B2=84=EC=A0=84=EC=9C=BC?= =?UTF-8?q?=EB=A1=9C=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.php b/config.php index b26748df7..7d1ff4c27 100644 --- a/config.php +++ b/config.php @@ -5,7 +5,7 @@ ********************/ define('G5_VERSION', '그누보드5'); -define('G5_GNUBOARD_VER', '5.3.2.7'); +define('G5_GNUBOARD_VER', '5.3.2.8'); // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 define('_GNUBOARD_', true);