From ed957cf6b3e201799a43c782c70b11f9166207bf Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 6 Feb 2017 20:00:18 +0900 Subject: [PATCH] =?UTF-8?q?LFI=20to=20RCE=20=EC=B7=A8=EC=95=BD=EC=A0=90=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/contentformupdate.php | 18 +++++++++++++++++- adm/qa_config_update.php | 22 +++++++++++++++++++--- bbs/content.php | 4 ++-- bbs/qahead.php | 2 +- bbs/qatail.php | 2 +- lib/common.lib.php | 9 +++++++++ lib/thumbnail.lib.php | 4 ++-- 7 files changed, 51 insertions(+), 10 deletions(-) diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php index 4212eedba..53ddecc96 100644 --- a/adm/contentformupdate.php +++ b/adm/contentformupdate.php @@ -18,6 +18,18 @@ check_admin_token(); if ($co_himg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_h"); if ($co_timg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_t"); +$error_msg = ''; + +if( $co_include_head && ! is_include_path_check($co_include_head) ){ + $co_include_head = ''; + $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.'; +} + +if( $co_include_tail && ! is_include_path_check($co_include_tail) ){ + $co_include_tail = ''; + $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; +} + $sql_common = " co_include_head = '$co_include_head', co_include_tail = '$co_include_tail', co_html = '$co_html', @@ -74,7 +86,11 @@ if ($w == "" || $w == "u") @chmod($dest_path, G5_FILE_PERMISSION); } - goto_url("./contentform.php?w=u&co_id=$co_id"); + if( $error_msg ){ + alert($error_msg, "./contentform.php?w=u&co_id=$co_id"); + } else { + goto_url("./contentform.php?w=u&co_id=$co_id"); + } } else { diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php index c83311192..6ebcbed85 100644 --- a/adm/qa_config_update.php +++ b/adm/qa_config_update.php @@ -8,6 +8,18 @@ auth_check($auth[$sub_menu], 'w'); check_admin_token(); +$error_msg = ''; + +if( $qa_include_head && ! is_include_path_check($qa_include_head) ){ + $qa_include_head = ''; + $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.'; +} + +if( $qa_include_tail && ! is_include_path_check($qa_include_tail) ){ + $qa_include_tail = ''; + $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; +} + $sql = " update {$g5['qa_config_table']} set qa_title = '{$_POST['qa_title']}', qa_category = '{$_POST['qa_category']}', @@ -29,8 +41,8 @@ $sql = " update {$g5['qa_config_table']} qa_image_width = '{$_POST['qa_image_width']}', qa_upload_size = '{$_POST['qa_upload_size']}', qa_insert_content = '{$_POST['qa_insert_content']}', - qa_include_head = '{$_POST['qa_include_head']}', - qa_include_tail = '{$_POST['qa_include_tail']}', + qa_include_head = '{$qa_include_head}', + qa_include_tail = '{$qa_include_tail}', qa_content_head = '{$_POST['qa_content_head']}', qa_content_tail = '{$_POST['qa_content_tail']}', qa_mobile_content_head = '{$_POST['qa_mobile_content_head']}', @@ -47,5 +59,9 @@ $sql = " update {$g5['qa_config_table']} qa_5 = '{$_POST['qa_5']}' "; sql_query($sql); -goto_url('./qa_config.php'); +if($error_msg){ + alert($error_msg, './qa_config.php'); +} else { + goto_url('./qa_config.php'); +} ?> \ No newline at end of file diff --git a/bbs/content.php b/bbs/content.php index 52b538843..8aa2f36af 100644 --- a/bbs/content.php +++ b/bbs/content.php @@ -19,7 +19,7 @@ if (!$co['co_id']) $g5['title'] = $co['co_subject']; -if ($co['co_include_head']) +if (is_include_path_check($co['co_include_head'])) @include_once($co['co_include_head']); else include_once('./_head.php'); @@ -85,7 +85,7 @@ if(is_file($skin_file)) { echo '

'.str_replace(G5_PATH.'/', '', $skin_file).'이 존재하지 않습니다.

'; } -if ($co['co_include_tail']) +if (is_include_path_check($co['co_include_tail'])) @include_once($co['co_include_tail']); else include_once('./_tail.php'); diff --git a/bbs/qahead.php b/bbs/qahead.php index ec332be6d..d4aaa4d6e 100644 --- a/bbs/qahead.php +++ b/bbs/qahead.php @@ -9,7 +9,7 @@ if (G5_IS_MOBILE) { include_once('./_head.php'); echo conv_content($qaconfig['qa_mobile_content_head'], 1); } else { - if($qaconfig['qa_include_head']) + if(is_include_path_check($qaconfig['qa_include_head'])) @include ($qaconfig['qa_include_head']); else include ('./_head.php'); diff --git a/bbs/qatail.php b/bbs/qatail.php index 4ab23b30d..8cc00e1a3 100644 --- a/bbs/qatail.php +++ b/bbs/qatail.php @@ -7,7 +7,7 @@ if (G5_IS_MOBILE) { include_once('./_tail.php'); } else { echo conv_content($qaconfig['qa_content_tail'], 1); - if($qaconfig['qa_include_tail']) + if(is_include_path_check($qaconfig['qa_include_tail'])) @include ($qaconfig['qa_include_tail']); else include ('./_tail.php'); diff --git a/lib/common.lib.php b/lib/common.lib.php index 8c931e905..1d74cb403 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3259,4 +3259,13 @@ function check_write_token($bo_table) return true; } + +// include 하는 경로에 data file 경로가 포함되어 있는지 체크합니다. +function is_include_path_check($path='') +{ + if( !$path || preg_match('/\/data\/(file|editor)\/[A-Za-z0-9_]{1,20}\//', $path) ){ + return false; + } + return true; +} ?> \ No newline at end of file diff --git a/lib/thumbnail.lib.php b/lib/thumbnail.lib.php index c3dac55a2..43539e5c1 100644 --- a/lib/thumbnail.lib.php +++ b/lib/thumbnail.lib.php @@ -273,8 +273,8 @@ function thumbnail($filename, $source_path, $target_path, $thumb_width, $thumb_h } } } else if ($size[2] == 3) { - $src = imagecreatefrompng($source_file); - imagealphablending($src, true); + $src = @imagecreatefrompng($source_file); + @imagealphablending($src, true); } else { return; }