[KVE-2020-0115,0120]그누보드RCE및XSS취약점수정

gnuboard · Mar 3, 2020 · b28796d · b28796d
1 parent 1395a8f
commit b28796d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 8 deletions.
diff --git a/adm/faqlist.php b/adm/faqlist.php
@@ -68,15 +68,17 @@
         $num = $i + 1;
 
         $bg = 'bg'.($i%2);
+
+        $fa_subject = conv_content($row['fa_subject'], 1);
     ?>
 
     <tr class="<?php echo $bg; ?>">
         <td class="td_num"><?php echo $num; ?></td>
-        <td class="td_left"><?php echo stripslashes($row['fa_subject']); ?></td>
+        <td class="td_left"><?php echo $fa_subject; ?></td>
         <td class="td_num"><?php echo $row['fa_order']; ?></td>
         <td class="td_mng td_mng_m">
-            <a href="./faqform.php?w=u&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>" class="btn btn_03"><span class="sound_only"><?php echo stripslashes($row['fa_subject']); ?> </span>수정</a>
-            <a href="./faqformupdate.php?w=d&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>" onclick="return delete_confirm(this);" class="btn btn_02"><span class="sound_only"><?php echo stripslashes($row['fa_subject']); ?> </span>삭제</a>
+            <a href="./faqform.php?w=u&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>" class="btn btn_03"><span class="sound_only"><?php echo $fa_subject; ?> </span>수정</a>
+            <a href="./faqformupdate.php?w=d&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>" onclick="return delete_confirm(this);" class="btn btn_02"><span class="sound_only"><?php echo $fa_subject; ?> </span>삭제</a>
         </td>
     </tr>
 

diff --git a/lib/Cache/FileCache.class.php b/lib/Cache/FileCache.class.php
@@ -67,8 +67,14 @@ protected function _get($id)
 		{
 			return FALSE;
 		}
-
-		$data = unserialize(file_get_contents( $cache_file_path ));
+
+        try{
+            $file_contents = file_get_contents($cache_file_path);
+            $file_ex = explode("\n\n", $file_contents);
+            $data = unserialize(base64_decode($file_ex[1]));
+        } catch(Exception $e){
+            $data = array('ttl'=>1, 'time'=>time() - 1000);
+        }
 
 		if ($data['ttl'] > 0 && time() > $data['time'] + $data['ttl'])
 		{
@@ -135,7 +141,10 @@ public function save($id, $data, $ttl = 60, $raw = FALSE)
 			'data'		=> $data
 		);
 
-		if ($this->write_file($cache_file_path, serialize($contents)))
+        $cache_content = "<?php if (!defined('_GNUBOARD_')) exit; ?>\n\n";
+        $cache_content .= base64_encode(serialize($contents));
+
+		if ($this->write_file($cache_file_path, $cache_content))
 		{
 			chmod($cache_file_path, G5_FILE_PERMISSION);
 			return TRUE;
@@ -167,7 +176,7 @@ public function encode($data, $ttl)
         if ($ttl !== null) {
             $expire = time() + $ttl;
         }
-        return serialize(array($data, $expire));
+        return base64_encode(serialize(array($data, $expire)));
     }
 
     /**
@@ -181,7 +190,7 @@ public function encode($data, $ttl)
      */
     public function decode($data)
     {
-        return unserialize($data);
+        return unserialize(base64_decode($data));
     }
 }
 ?>