그누보드 Reflected XSS 취약점 (891, 906, 908, 910) 수정

gnuboard · Dec 11, 2017 · 7f9664a · 7f9664a
1 parent 8755c8e
commit 7f9664a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 9 deletions.
diff --git a/adm/poll_form.php b/adm/poll_form.php
@@ -4,6 +4,8 @@
 
 auth_check($auth[$sub_menu], 'w');
 
+$po_id = isset($po_id) ? (int) $po_id : 0;
+
 $html_title = '투표';
 if ($w == '')
     $html_title .= ' 생성';

diff --git a/adm/sms_admin/form_group_update.php b/adm/sms_admin/form_group_update.php
@@ -10,9 +10,9 @@
     {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
-        $fg_no = $_POST['fg_no'][$k];
-        $fg_name = $_POST['fg_name'][$k];
-        $fg_member = $_POST['fg_member'][$k];
+        $fg_no = (int) $_POST['fg_no'][$k];
+        $fg_name = strip_tags($_POST['fg_name'][$k]);
+        $fg_member = strip_tags($_POST['fg_member'][$k]);
 
         if (!is_numeric($fg_no))
             alert('그룹 고유번호가 없습니다.');
@@ -38,7 +38,7 @@
     {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
-        $fg_no = $_POST['fg_no'][$k];
+        $fg_no = (int) $_POST['fg_no'][$k];
 
         if (!is_numeric($fg_no))
             alert('그룹 고유번호가 없습니다.');
@@ -57,7 +57,7 @@
     {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
-        $fg_no = $_POST['fg_no'][$k];
+        $fg_no = (int) $_POST['fg_no'][$k];
 
         if ($fg_no == 'no') $fg_no = 0;
 
@@ -71,6 +71,8 @@
 {
     if ($fg_no == 'no') $fg_no = 0;
 
+    $fg_no = (int) $fg_no;
+
     if ($fg_no)
         sql_query("update {$g5['sms5_form_group_table']} set fg_count = 0 where fg_no = '$fg_no'");
 
@@ -81,6 +83,8 @@
     if (!strlen(trim($fg_name)))
         alert('그룹명을 입력해주세요');
 
+    $fg_name = strip_tags($fg_name);
+
     $res = sql_fetch("select fg_name from {$g5['sms5_form_group_table']} where fg_name = '$fg_name'");
     if ($res)
         alert('같은 그룹명이 존재합니다.');

diff --git a/adm/sms_admin/form_update.php b/adm/sms_admin/form_update.php
@@ -4,6 +4,9 @@
 
 auth_check($auth[$sub_menu], "w");
 
+$fo_name = isset($fo_name) ? strip_tags($fo_name) : '';
+$fo_content = isset($fo_content) ? strip_tags($fo_content) : '';
+
 $g5['title'] = "이모티콘 업데이트";
 
 if ($w == 'u') // 업데이트

diff --git a/adm/sms_admin/num_group_update.php b/adm/sms_admin/num_group_update.php
@@ -10,8 +10,8 @@
     {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
-        $bg_no = $_POST['bg_no'][$k];
-        $bg_name = $_POST['bg_name'][$k];
+        $bg_no = (int) $_POST['bg_no'][$k];
+        $bg_name = strip_tags($_POST['bg_name'][$k]);
 
         if (!is_numeric($bg_no))
             alert('그룹 고유번호가 없습니다.');
@@ -36,7 +36,7 @@
     {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
-        $bg_no = $_POST['bg_no'][$k];
+        $bg_no = (int) $_POST['bg_no'][$k];
 
         if (!is_numeric($bg_no))
             alert('그룹 고유번호가 없습니다.');
@@ -55,14 +55,16 @@
     {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
-        $bg_no = $_POST['bg_no'][$k];
+        $bg_no = (int) $_POST['bg_no'][$k];
 
         sql_query("update {$g5['sms5_book_group_table']} set bg_count = 0, bg_member = 0, bg_nomember = 0, bg_receipt = 0, bg_reject = 0 where bg_no='$bg_no'");
         sql_query("delete from {$g5['sms5_book_table']} where bg_no='$bg_no'");
     }
 }
 else // 등록
 {
+    $bg_name = strip_tags($bg_name);
+
     if (!strlen(trim($bg_name)))
         alert('그룹명을 입력해주세요');