XSS 취약점 수정

2015-07-14 12:01:21 +09:00
parent aa140eb846
commit f74e8f7250
9 changed files with 20 additions and 5 deletions
--- a/bbs/alert.php
+++ b/bbs/alert.php
@ -30,7 +30,8 @@ include_once(G5_PATH.'/head.sub.php');

 $msg2 = str_replace("\\n", "<br>", $msg);

-if (!$url) $url = $_SERVER['HTTP_REFERER'];
+$url = clean_xss_tags($url);
+if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);

 // url 체크
 check_url_host($url);
--- a/bbs/confirm.php
+++ b/bbs/confirm.php
@ -2,6 +2,10 @@
 include_once('./_common.php');
 include_once(G5_PATH.'/head.sub.php');

+$url1 = clean_xss_tags($url1);
+$url2 = clean_xss_tags($url2);
+$url3 = clean_xss_tags($url3);
+
 // url 체크
 check_url_host($url1);
 check_url_host($url2);
--- a/bbs/move.php
+++ b/bbs/move.php
@ -55,7 +55,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
    <input type="hidden" name="sod" value="<?php echo $sod ?>">
    <input type="hidden" name="page" value="<?php echo $page ?>">
    <input type="hidden" name="act" value="<?php echo $act ?>">
-    <input type="hidden" name="url" value="<?php echo $_SERVER['HTTP_REFERER'] ?>">
+    <input type="hidden" name="url" value="<?php echo clean_xss_tags($_SERVER['HTTP_REFERER']); ?>">

    <div class="tbl_head01 tbl_wrap">
        <table>
--- a/bbs/move_update.php
+++ b/bbs/move_update.php
@ -1,5 +1,6 @@
 <?php
 include_once('./_common.php');
+print_r2($_POST);exit;

 // 게시판 관리자 이상 복사, 이동 가능
 if ($is_admin != 'board' && $is_admin != 'group' && $is_admin != 'super')
--- a/bbs/new.php
+++ b/bbs/new.php
@ -17,6 +17,8 @@ if ($view == "w")
    $sql_common .= " and a.wr_id = a.wr_parent ";
 else if ($view == "c")
    $sql_common .= " and a.wr_id <> a.wr_parent ";
+else
+    $view = '';

 $mb_id = isset($_GET['mb_id']) ? ($_GET['mb_id']) : '';
 $mb_id = substr(preg_replace('#[^a-z0-9_]#i', '', $mb_id), 0, 20);
--- a/bbs/register_form.php
+++ b/bbs/register_form.php
@ -30,6 +30,9 @@ if ($w == "") {
        alert('개인정보처리방침안내의 내용에 동의하셔야 회원가입 하실 수 있습니다.', G5_BBS_URL.'/register.php');
    }

+    $agree  = preg_replace('#[^0-9]#', '', $_POST['agree']);
+    $agree2 = preg_replace('#[^0-9]#', '', $_POST['agree2']);
+
    $member['mb_birth'] = '';
    $member['mb_sex']   = '';
    $member['mb_name']  = '';
--- a/bbs/search.php
+++ b/bbs/search.php
@ -17,7 +17,7 @@ if ($stx) {
    $stx = preg_replace('/\//', '\/', trim($stx));
    $sop = strtolower($sop);
    if (!$sop || !($sop == 'and' || $sop == 'or')) $sop = 'and'; // 연산자 and , or
-    $srows = isset($_GET['srows']) ? preg_replace('#[^0-9]#', '', $_GET['srows']) : 10;
+    $srows = isset($_GET['srows']) ? (int)preg_replace('#[^0-9]#', '', $_GET['srows']) : 10;
    if (!$srows) $srows = 10; // 한페이지에 출력하는 검색 행수

    $g5_search['tables'] = Array();