KVE-2018-0300,0331,0356,0358,0370 그누보드/영카트 다중 취약점 수정

gnuboard · May 23, 2018 · 2428749 · 2428749
1 parent 599dd58
commit 2428749
Show file tree

Hide file tree

Showing 9 changed files with 13 additions and 4 deletions.
diff --git a/adm/shop_admin/inorderlistdelete.php b/adm/shop_admin/inorderlistdelete.php
@@ -6,7 +6,7 @@
 
 auth_check($auth[$sub_menu], 'd');
 
-check_token();
+check_admin_token();
 
 $count = count($_POST['chk']);
 if(!$count)

diff --git a/adm/shop_admin/itemeventlist.php b/adm/shop_admin/itemeventlist.php
@@ -6,6 +6,7 @@
 
 $ev_id = preg_replace('/[^0-9]/', '', $ev_id);
 $sort1 = strip_tags($sort1);
+if (!in_array($sort1, array('a.it_id', 'it_name'))) $sort1 = "a.it_id";
 $sel_field = strip_tags($sel_field);
 $sel_ca_id = get_search_string($sel_ca_id);
 $search = get_search_string($search);

diff --git a/adm/shop_admin/itemsellrank.php b/adm/shop_admin/itemsellrank.php
@@ -11,6 +11,7 @@
 if (!$to_date) $to_date = date("Ymd", time());
 
 if ($sort1 == "") $sort1 = "ct_status_sum";
+if (!in_array($sort1, array('ct_status_1', 'ct_status_2', 'ct_status_3', 'ct_status_4', 'ct_status_5', 'ct_status_6', 'ct_status_7', 'ct_status_8', 'ct_status_9', 'ct_status_sum'))) $sort1 = "ct_status_sum";
 if ($sort2 == "" || $sort2 != "asc") $sort2 = "desc";
 
 $doc = strip_tags($doc);

diff --git a/adm/shop_admin/itemstocksms.php b/adm/shop_admin/itemstocksms.php
@@ -33,6 +33,7 @@
 
 if ($sel_field == "")  $sel_field = "it_it";
 if ($sort1 == "") $sort1 = "ss_send";
+if (!in_array($sort1, array('it_id', 'ss_hp', 'ss_send', 'ss_send_time', 'ss_datetime'))) $sort1 = "ss_send";
 if ($sort2 == "" || $sort2 != "desc") $sort2 = "asc";
 
 $doc = strip_tags($doc);

diff --git a/adm/shop_admin/itemstocksmsupdate.php b/adm/shop_admin/itemstocksmsupdate.php
@@ -102,8 +102,6 @@
 
     auth_check($auth[$sub_menu], 'd');
 
-    check_token();
-
     for ($i=0; $i<count($_POST['chk']); $i++) {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];

diff --git a/adm/shop_admin/optionstocklist.php b/adm/shop_admin/optionstocklist.php
@@ -27,6 +27,7 @@
 
 if ($sel_field == "")  $sel_field = "b.it_name";
 if ($sort1 == "") $sort1 = "a.io_stock_qty";
+if (!in_array($sort1, array('b.it_name', 'a.io_stock_qty', 'a.io_use'))) $sort1 = "a.io_stock_qty";
 if ($sort2 == "") $sort2 = "asc";
 
 $sql_common = "  from {$g5['g5_shop_item_option_table']} a left join {$g5['g5_shop_item_table']} b on ( a.it_id = b.it_id ) ";

diff --git a/adm/shop_admin/personalpaylistdelete.php b/adm/shop_admin/personalpaylistdelete.php
@@ -6,7 +6,7 @@
 
 auth_check($auth[$sub_menu], 'd');
 
-check_token();
+check_admin_token();
 
 $count = count($_POST['chk']);
 if(!$count)

diff --git a/adm/shop_admin/wishlist.php b/adm/shop_admin/wishlist.php
@@ -18,6 +18,7 @@
 if( preg_match("/[^0-9]/", $to_date) ) $to_date = '';
 
 if ($sort1 == "") $sort1 = "it_id_cnt";
+if (!in_array($sort1, array('mb_id', 'it_id', 'wi_time', 'wi_ip'))) $sort1 = "it_id_cnt";
 if ($sort2 == "" || $sort2 != "asc") $sort2 = "desc";
 
 $sql  = " select a.it_id,

diff --git a/shop/taxsave.php b/shop/taxsave.php
@@ -4,6 +4,12 @@
 $g5['title'] = '주문번호 '.$od_id.' 현금영수증 발행';
 include_once(G5_PATH.'/head.sub.php');
 
+if (!$od_id){
+    alert('주문번호가 누락되었습니다.');
+}
+
+$od_id = preg_replace('/[^a-z0-9_-]/i', '', $od_id);
+
 if($tx == 'personalpay') {
     $od = sql_fetch(" select * from {$g5['g5_shop_personalpay_table']} where pp_id = '$od_id' ");
     if (!$od)