Permalink
Browse files

KVE-2018-0441,0449,0510 그누보드 영카트 다중 취약점 수정

  • Loading branch information...
thisgun committed Aug 17, 2018
1 parent a7a8f45 commit c03fec73b9aeb6571271f4141788e614cc3f6e82
@@ -14,19 +14,19 @@
if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); }
if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); }
$_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255));
$_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255));
$bo_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_head, 0, 255));
$bo_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_tail, 0, 255));
// 관리자가 자동등록방지를 사용해야 할 경우
if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
if ($board && ($board['bo_include_head'] !== $bo_include_head || $board['bo_include_tail'] !== $bo_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
if (!chk_captcha()) {
alert('자동등록방지 숫자가 틀렸습니다.');
}
}
if ($file = $_POST['bo_include_head']) {
if ($file = $bo_include_head) {
$file_ext = pathinfo($file, PATHINFO_EXTENSION);
if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) {
@@ -35,7 +35,7 @@
$_POST['bo_include_head'] = $file;
}
if ($file = $_POST['bo_include_tail']) {
if ($file = $bo_include_tail) {
$file_ext = pathinfo($file, PATHINFO_EXTENSION);
if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) {
@@ -44,11 +44,11 @@
$_POST['bo_include_tail'] = $file;
}
if(!is_include_path_check($_POST['bo_include_head'], 1)) {
if(!is_include_path_check($bo_include_head, 1)) {
alert('상단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
}
if(!is_include_path_check($_POST['bo_include_tail'], 1)) {
if(!is_include_path_check($bo_include_tail, 1)) {
alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
}
@@ -125,8 +125,8 @@
// 최고 관리자인 경우에만 수정가능
if ($is_admin === 'super'){
$sql_common .= " bo_include_head = '{$_POST['bo_include_head']}',
bo_include_tail = '{$_POST['bo_include_tail']}',
$sql_common .= " bo_include_head = '".$bo_include_head."',
bo_include_tail = '".$bo_include_tail."',
bo_content_head = '{$_POST['bo_content_head']}',
bo_content_tail = '{$_POST['bo_content_tail']}',
bo_mobile_content_head = '{$_POST['bo_mobile_content_head']}',
@@ -20,8 +20,11 @@
$co_row = sql_fetch($sql);
}
$co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255));
$co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
// 관리자가 자동등록방지를 사용해야 할 경우
if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
if (($co_row['co_include_head'] !== $co_include_head || $co_row['co_include_tail'] !== $co_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
if (!chk_captcha()) {
@@ -12,8 +12,11 @@
$qaconfig = get_qa_config();
$qa_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_head, 0, 255));
$qa_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_tail, 0, 255));
// 관리자가 자동등록방지를 사용해야 할 경우
if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
if ($board && ($qaconfig['qa_include_head'] !== $qa_include_head || $qaconfig['qa_include_tail'] !== $qa_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){
include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
if (!chk_captcha()) {
@@ -43,12 +43,12 @@
?>

<form name="book_form" id="book_form" method="post" action="./num_book_update.php">
<input type="hidden" name="w" value="<?php echo $w?>">
<input type="hidden" name="page" value="<?php echo $page?>">
<input type="hidden" name="ap" value="<?php echo $ap?>">
<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>">
<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
<input type="hidden" name="ap" value="<?php echo get_sanitize_input($ap); ?>">
<input type="hidden" name="bk_no" value="<?php echo $write['bk_no']?>">
<input type="hidden" name="mb_id" id="mb_id" value="<?php echo $write['mb_id']?>">
<input type="hidden" name="get_bg_no" value="<?php echo $bg_no?>">
<input type="hidden" name="get_bg_no" value="<?php echo get_sanitize_input($bg_no); ?>">

<div class="tbl_frm01 tbl_wrap">
<table>
@@ -187,14 +187,12 @@ function book_submit(){
if($check_msg.size()> 0)
$check_msg.remove();
// $("#exist_msg").text("<?php echo $exist_msg_2; ?>");
is_submit = true;
} else {
if($check_msg.size() < 1)
$("input#bk_hp").after("<div id=\"hp_check_el\"><h3>이 번호를 쓰는 회원 정보</h3><ul></ul></div>");
$("#hp_check_el").find("ul").html( list_text );
// $("#exist_msg").html("<?php echo $exist_msg_1 ?>");
if(confirm("회원 정보에 중복 휴대폰 번호가 있습니다.수정하실 경우 회원정보에 반영되지 않습니다.\n수정하시겠습니까?"))
is_submit = true;
@@ -12,14 +12,13 @@
$email_enc = new str_encrypt();
$to = $email_enc->decrypt($to);
if (substr_count($to, "@") > 1)
alert_close('한번에 한사람에게만 메일을 발송할 수 있습니다.');
if (!chk_captcha()) {
alert('자동등록방지 숫자가 틀렸습니다.');
}
if (!preg_match("/([0-9a-zA-Z_-]+)@([0-9a-zA-Z_-]+)\.([0-9a-zA-Z_-]+)/", $to)){
alert_close('E-mail 주소가 형식에 맞지 않아서, 메일을 보낼수 없습니다.');
}
$file = array();
for ($i=1; $i<=$attach; $i++) {
@@ -24,6 +24,10 @@
// url 체크
check_url_host($url, '', G5_URL, true);
if( preg_match('#^/{3,}#', $url) ){
$url = preg_replace('#^/{3,}#', '/', $url);
}
$url = get_text($url);
include_once($member_skin_path.'/member_confirm.skin.php');
@@ -3269,7 +3269,7 @@ class str_encrypt
function __construct($salt='')
{
if(!$salt)
$this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), G5_MYSQL_PASSWORD));
$this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), $_SERVER['SERVER_SOFTWARE'].$_SERVER['DOCUMENT_ROOT']));
else
$this->salt = $salt;
@@ -3438,7 +3438,7 @@ function is_include_path_check($path='', $is_input='')
if( $path ){
if ($is_input){
if( stripos($path, 'php://') !== false || stripos($path, 'zlib://') !== false || stripos($path, 'bzip2://') !== false || stripos($path, 'zip://') !== false || stripos($path, 'data:text/') !== false || stripos($path, 'data://') !== false ){
if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){
return false;
}
@@ -3478,7 +3478,7 @@ function is_include_path_check($path='', $is_input='')
return false;
}
if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $path) ){
if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){
return false;
}
}

0 comments on commit c03fec7

Please sign in to comment.