[KVE-2020-0097,0113,0114,0056]그누보드 다중 취약점 수정

adm/board_form_update.php

@@ -60,6 +60,11 @@
     alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
 }
 
+if( function_exists('filter_input_include_path') ){
+    $bo_include_head = filter_input_include_path($bo_include_head);
+    $bo_include_tail = filter_input_include_path($bo_include_tail);
+}
+
 $board_path = G5_DATA_PATH.'/file/'.$bo_table;
 
 // 게시판 디렉토리 생성

adm/contentformupdate.php

@@ -71,6 +71,11 @@
     $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
 }
 
+if( function_exists('filter_input_include_path') ){
+    $co_include_head = filter_input_include_path($co_include_head);
+    $co_include_tail = filter_input_include_path($co_include_tail);
+}
+
 $co_seo_title = exist_seo_title_recursive('content', generate_seo_title($co_subject), $g5['content_table'], $co_id);
 
 $sql_common = " co_include_head     = '$co_include_head',

adm/qa_config_update.php

@@ -56,6 +56,11 @@
     $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
 }
 
+if( function_exists('filter_input_include_path') ){
+    $qa_include_head = filter_input_include_path($qa_include_head);
+    $qa_include_tail = filter_input_include_path($qa_include_tail);
+}
+
 $sql = " update {$g5['qa_config_table']}
             set qa_title                = '{$_POST['qa_title']}',
                 qa_category             = '{$_POST['qa_category']}',

lib/common.lib.php

@@ -3022,6 +3022,9 @@ function clean_xss_tags($str, $check_entities=0)
         if( $check_entities ){
             $result = str_replace(array(':', '(', ')', '
', '	'), '', $result);
         }
+
+        $result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius',
+                '$1$2', $result);
 
         if((string)$result === (string)$str) break;
 
@@ -3695,10 +3698,10 @@ function is_include_path_check($path='', $is_input='')
             // 장태진 @jtjisgod <jtjisgod@gmail.com> 추가
             // 보안 목적 : rar wrapper 차단
 
-            if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false ){
+            if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false || stripos($path, '://') !== false ){
                 return false;
             }
-            
+
             $replace_path = str_replace('\\', '/', $path);
             $slash_count = substr_count(str_replace('\\', '/', $_SERVER['SCRIPT_NAME']), '/');
             $peer_count = substr_count($replace_path, '../');
@@ -3767,6 +3770,10 @@ function is_include_path_check($path='', $is_input='')
     return true;
 }
 
+function filter_input_include_path($path){
+    return str_replace('//', '/', $path);
+}
+
 function option_array_checked($option, $arr=array()){
     $checked = '';
 

plugin/social/register_member_update.php

@@ -53,6 +53,7 @@
 
 }
 
+if ($msg = valid_mb_id($mb_id))         alert($msg, "", true, true);
 if ($msg = empty_mb_name($mb_name))       alert($msg, "", true, true);
 if ($msg = empty_mb_nick($mb_nick))     alert($msg, "", true, true);
 if ($msg = empty_mb_email($mb_email))   alert($msg, "", true, true);
@@ -68,6 +69,10 @@
 if ($msg = exist_mb_nick($mb_nick, $mb_id))     alert($msg, "", true, true);
 if ($msg = exist_mb_email($mb_email, $mb_id))   alert($msg, "", true, true);
 
+if( $mb = get_member($mb_id) ){
+    alert("이미 등록된 회원이 존재합니다.", G5_URL);
+}
+
 $data = array(
 'mb_id' =>  $mb_id,
 'mb_password'   =>  get_encrypt_string($mb_password),