KVE-2018-0441,0449,0510 그누보드 영카트 다중 취약점 수정

gnuboard · Aug 17, 2018 · c03fec7 · c03fec7
1 parent a7a8f45
commit c03fec7
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 24 deletions.
diff --git a/adm/board_form_update.php b/adm/board_form_update.php
@@ -14,19 +14,19 @@
 if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); }
 if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); }
 
-$_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255));
-$_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255));
+$bo_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_head, 0, 255));
+$bo_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_tail, 0, 255));
 
 // 관리자가 자동등록방지를 사용해야 할 경우
-if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+if ($board && ($board['bo_include_head'] !== $bo_include_head || $board['bo_include_tail'] !== $bo_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
     include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
     if (!chk_captcha()) {
         alert('자동등록방지 숫자가 틀렸습니다.');
     }
 }
 
-if ($file = $_POST['bo_include_head']) {
+if ($file = $bo_include_head) {
     $file_ext = pathinfo($file, PATHINFO_EXTENSION);
 
     if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) {
@@ -35,7 +35,7 @@
     $_POST['bo_include_head'] = $file;
 }
 
-if ($file = $_POST['bo_include_tail']) {
+if ($file = $bo_include_tail) {
     $file_ext = pathinfo($file, PATHINFO_EXTENSION);
 
     if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) {
@@ -44,11 +44,11 @@
     $_POST['bo_include_tail'] = $file;
 }
 
-if(!is_include_path_check($_POST['bo_include_head'], 1)) {
+if(!is_include_path_check($bo_include_head, 1)) {
     alert('상단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
 }
 
-if(!is_include_path_check($_POST['bo_include_tail'], 1)) {
+if(!is_include_path_check($bo_include_tail, 1)) {
     alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
 }
 
@@ -125,8 +125,8 @@
 
 // 최고 관리자인 경우에만 수정가능
 if ($is_admin === 'super'){
-$sql_common .= " bo_include_head     = '{$_POST['bo_include_head']}',
-                bo_include_tail     = '{$_POST['bo_include_tail']}',
+$sql_common .= " bo_include_head     = '".$bo_include_head."',
+                bo_include_tail     = '".$bo_include_tail."',
                 bo_content_head     = '{$_POST['bo_content_head']}',
                 bo_content_tail     = '{$_POST['bo_content_tail']}',
                 bo_mobile_content_head     = '{$_POST['bo_mobile_content_head']}',

diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php
@@ -20,8 +20,11 @@
     $co_row = sql_fetch($sql);
 }
 
+$co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255));
+$co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
+
 // 관리자가 자동등록방지를 사용해야 할 경우
-if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+if (($co_row['co_include_head'] !== $co_include_head || $co_row['co_include_tail'] !== $co_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
     include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
     if (!chk_captcha()) {

diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php
@@ -12,8 +12,11 @@
 
 $qaconfig = get_qa_config();
 
+$qa_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_head, 0, 255));
+$qa_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_tail, 0, 255));
+
 // 관리자가 자동등록방지를 사용해야 할 경우
-if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
+if ($board && ($qaconfig['qa_include_head'] !== $qa_include_head || $qaconfig['qa_include_tail'] !== $qa_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
     include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
     if (!chk_captcha()) {

diff --git a/adm/sms_admin/num_book_write.php b/adm/sms_admin/num_book_write.php
@@ -43,12 +43,12 @@
 ?>
 
 <form name="book_form" id="book_form" method="post" action="./num_book_update.php">
-<input type="hidden" name="w" value="<?php echo $w?>">
-<input type="hidden" name="page" value="<?php echo $page?>">
-<input type="hidden" name="ap" value="<?php echo $ap?>">
+<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
+<input type="hidden" name="ap" value="<?php echo get_sanitize_input($ap); ?>">
 <input type="hidden" name="bk_no" value="<?php echo $write['bk_no']?>">
 <input type="hidden" name="mb_id" id="mb_id" value="<?php echo $write['mb_id']?>">
-<input type="hidden" name="get_bg_no" value="<?php echo $bg_no?>">
+<input type="hidden" name="get_bg_no" value="<?php echo get_sanitize_input($bg_no); ?>">
 
 <div class="tbl_frm01 tbl_wrap">
     <table>
@@ -187,14 +187,12 @@ function book_submit(){
                     if($check_msg.size()> 0)
                         $check_msg.remove();
 
-//                    $("#exist_msg").text("<?php echo $exist_msg_2; ?>");
                     is_submit = true;
                 } else {
                     if($check_msg.size() < 1)
                         $("input#bk_hp").after("<div id=\"hp_check_el\"><h3>이 번호를 쓰는 회원 정보</h3><ul></ul></div>");
 
                     $("#hp_check_el").find("ul").html( list_text );
-//                    $("#exist_msg").html("<?php echo $exist_msg_1 ?>");
 
                     if(confirm("회원 정보에 중복 휴대폰 번호가 있습니다.수정하실 경우 회원정보에 반영되지 않습니다.\n수정하시겠습니까?"))
                         is_submit = true;

diff --git a/bbs/formmail_send.php b/bbs/formmail_send.php
@@ -12,14 +12,13 @@
 $email_enc = new str_encrypt();
 $to = $email_enc->decrypt($to);
 
-if (substr_count($to, "@") > 1)
-    alert_close('한번에 한사람에게만 메일을 발송할 수 있습니다.');
-
-
 if (!chk_captcha()) {
     alert('자동등록방지 숫자가 틀렸습니다.');
 }
 
+if (!preg_match("/([0-9a-zA-Z_-]+)@([0-9a-zA-Z_-]+)\.([0-9a-zA-Z_-]+)/", $to)){
+    alert_close('E-mail 주소가 형식에 맞지 않아서, 메일을 보낼수 없습니다.');
+}
 
 $file = array();
 for ($i=1; $i<=$attach; $i++) {

diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
@@ -24,6 +24,10 @@
 // url 체크
 check_url_host($url, '', G5_URL, true);
 
+if( preg_match('#^/{3,}#', $url) ){
+    $url = preg_replace('#^/{3,}#', '/', $url);
+}
+
 $url = get_text($url);
 
 include_once($member_skin_path.'/member_confirm.skin.php');

diff --git a/lib/common.lib.php b/lib/common.lib.php
@@ -3269,7 +3269,7 @@ class str_encrypt
     function __construct($salt='')
     {
         if(!$salt)
-            $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), G5_MYSQL_PASSWORD));
+            $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), $_SERVER['SERVER_SOFTWARE'].$_SERVER['DOCUMENT_ROOT']));
         else
             $this->salt = $salt;
 
@@ -3438,7 +3438,7 @@ function is_include_path_check($path='', $is_input='')
     if( $path ){
         if ($is_input){
 
-            if( stripos($path, 'php://') !== false || stripos($path, 'zlib://') !== false || stripos($path, 'bzip2://') !== false || stripos($path, 'zip://') !== false || stripos($path, 'data:text/') !== false || stripos($path, 'data://') !== false ){
+            if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){
                 return false;
             }
 
@@ -3478,7 +3478,7 @@ function is_include_path_check($path='', $is_input='')
                 return false;
             }
 
-            if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $path) ){
+            if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){
                 return false;
             }
         }