게시글 CSRF 취약점(16-749 16-750) 수정

gnuboard · Oct 17, 2016 · e99c7a8 · e99c7a8
1 parent ce0a6dc
commit e99c7a8
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 2 deletions.
diff --git a/adm/admin.tail.php b/adm/admin.tail.php
@@ -21,7 +21,7 @@
 
 <!-- <p>실행시간 : <?php echo get_microtime() - $begin_time; ?> -->
 
-<script src="<?php echo G5_ADMIN_URL ?>/admin.js<?php echo G5_JS_VER; ?>"></script>
+<script src="<?php echo G5_ADMIN_URL ?>/admin.js?ver=<?php echo G5_JS_VER; ?>"></script>
 <script>
 $(function(){
     var hide_menu = false;

diff --git a/adm/board_copy.php b/adm/board_copy.php
@@ -8,7 +8,7 @@
 include_once(G5_PATH.'/head.sub.php');
 ?>
 
-<script src="<?php echo G5_ADMIN_URL ?>/admin.js<?php echo G5_JS_VER; ?>"></script>
+<script src="<?php echo G5_ADMIN_URL ?>/admin.js?ver=<?php echo G5_JS_VER; ?>"></script>
 
 <div class="new_win">
     <h1><?php echo $g5['title']; ?></h1>

diff --git a/bbs/write_token.php b/bbs/write_token.php
@@ -0,0 +1,13 @@
+<?php
+include_once('./_common.php');
+include_once(G5_LIB_PATH.'/json.lib.php');
+
+if(!$bo_table)
+   die(json_encode(array('error'=>'게시판 정보가 올바르지 않습니다.', 'url'=>G5_URL)));
+
+set_session('ss_write_'.$bo_table.'_token', '');
+
+$token = get_write_token($bo_table);
+
+die(json_encode(array('error'=>'', 'token'=>$token, 'url'=>'')));
+?>
diff --git a/bbs/write_update.php b/bbs/write_update.php
@@ -3,6 +3,9 @@
 include_once(G5_LIB_PATH.'/naver_syndi.lib.php');
 include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
+// 토큰체크
+check_write_token($bo_table);
+
 $g5['title'] = '게시글 저장';
 
 $msg = array();

diff --git a/js/common.js b/js/common.js
@@ -689,4 +689,53 @@ $(function(){
             return false;
         }
     });
+});
+
+function get_write_token(bo_table)
+{
+    var token = "";
+
+    $.ajax({
+        type: "POST",
+        url: g5_bbs_url+"/write_token.php",
+        data: { bo_table: bo_table },
+        cache: false,
+        async: false,
+        dataType: "json",
+        success: function(data) {
+            if(data.error) {
+                alert(data.error);
+                if(data.url)
+                    document.location.href = data.url;
+
+                return false;
+            }
+
+            token = data.token;
+        }
+    });
+
+    return token;
+}
+
+$(function() {
+    $(document).on("click", "form[name=fwrite] input:submit", function() {
+        var f = this.form;
+        var bo_table = f.bo_table.value;
+        var token = get_write_token(bo_table);
+
+        if(!token) {
+            alert("토큰 정보가 올바르지 않습니다.");
+            return false;
+        }
+
+        var $f = $(f);
+
+        if(typeof f.token === "undefined")
+            $f.prepend('<input type="hidden" name="token" value="">');
+
+        $f.find("input[name=token]").val(token);
+
+        return true;
+    });
 });
diff --git a/lib/common.lib.php b/lib/common.lib.php
@@ -3233,4 +3233,29 @@ function decrypt($str) {
         return $result;
     }
 }
+
+// 불법접근을 막도록 토큰을 생성하면서 토큰값을 리턴
+function get_write_token($bo_table)
+{
+    $token = md5(uniqid(rand(), true));
+    set_session('ss_write_'.$bo_table.'_token', $token);
+
+    return $token;
+}
+
+
+// POST로 넘어온 토큰과 세션에 저장된 토큰 비교
+function check_write_token($bo_table)
+{
+    if(!$bo_table)
+        alert('올바른 방법으로 이용해 주십시오.', G5_URL);
+
+    $token = get_session('ss_write_'.$bo_table.'_token');
+    set_session('ss_write_'.$bo_table.'_token', '');
+
+    if(!$token || !$_REQUEST['token'] || $token != $_REQUEST['token'])
+        alert('올바른 방법으로 이용해 주십시오.', G5_URL);
+
+    return true;
+}
 ?>