KVE-2019-0082 원격취약점 수정

gnuboard · Mar 19, 2019 · 4f6bbdf · 4f6bbdf
1 parent 99d3cf8
commit 4f6bbdf
Show file tree

Hide file tree

Showing 10 changed files with 52 additions and 36 deletions.
diff --git a/adm/shop_admin/couponzonelist_delete.php b/adm/shop_admin/couponzonelist_delete.php
@@ -16,8 +16,9 @@
 {
     // 실제 번호를 넘김
     $k = $_POST['chk'][$i];
+    $ccz_id = (int) $_POST['cz_id'][$k];
 
-    $sql = " delete from {$g5['g5_shop_coupon_zone_table']} where cz_id = '{$_POST['cz_id'][$k]}' ";
+    $sql = " delete from {$g5['g5_shop_coupon_zone_table']} where cz_id = '{$ccz_id}' ";
     sql_query($sql);
 }
 

diff --git a/adm/shop_admin/itemeventformupdate.php b/adm/shop_admin/itemeventformupdate.php
@@ -19,10 +19,13 @@
 if ($ev_himg_del)  @unlink(G5_DATA_PATH."/event/{$ev_id}_h");
 if ($ev_timg_del)  @unlink(G5_DATA_PATH."/event/{$ev_id}_t");
 
+$ev_skin = preg_replace('#\.+/#', '', $ev_skin);
+$ev_mobile_skin = preg_replace('#\.+/#', '', $ev_mobile_skin);
+
 $skin_regex_patten = "^list.[0-9]+\.skin\.php";
 
-$ev_skin = (preg_match("/$pattern/", $ev_skin) && G5_SHOP_SKIN_PATH.'/'.file_exists($ev_skin)) ? $ev_skin : ''; 
-$ev_mobile_skin = (preg_match("/$pattern/", $ev_mobile_skin) && G5_MSHOP_SKIN_PATH.'/'.file_exists($ev_mobile_skin)) ? $ev_mobile_skin : ''; 
+$ev_skin = (preg_match("/$skin_regex_patten/", $ev_skin) && file_exists(G5_SHOP_SKIN_PATH.'/'.$ev_skin)) ? $ev_skin : ''; 
+$ev_mobile_skin = (preg_match("/$skin_regex_patten/", $ev_mobile_skin) && file_exists(G5_MSHOP_SKIN_PATH.'/'.$ev_mobile_skin)) ? $ev_mobile_skin : ''; 
 
 $sql_common = " set ev_skin             = '$ev_skin',
                     ev_mobile_skin      = '$ev_mobile_skin',

diff --git a/adm/shop_admin/itemeventlistupdate.php b/adm/shop_admin/itemeventlistupdate.php
@@ -8,16 +8,18 @@
 
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
+    $iit_id = preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$i]);
+
     $sql = " delete from {$g5['g5_shop_event_item_table']}
               where ev_id = '$ev_id'
-                and it_id = '{$_POST['it_id'][$i]}' ";
+                and it_id = '{$iit_id}' ";
     sql_query($sql);
 
-    if ($_POST['ev_chk'][$i])
+    if (isset($_POST['ev_chk'][$i]) && $_POST['ev_chk'][$i])
     {
         $sql = "insert into {$g5['g5_shop_event_item_table']}
                    set ev_id = '$ev_id',
-                       it_id = '{$_POST['it_id'][$i]}' ";
+                       it_id = '{$iit_id}' ";
         sql_query($sql);
     }
 

diff --git a/adm/shop_admin/itemqalistupdate.php b/adm/shop_admin/itemqalistupdate.php
@@ -17,8 +17,9 @@
     for ($i=0; $i<count($_POST['chk']); $i++) {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
+        $iiq_id = (int) $_POST['iq_id'][$k];
 
-        $sql = "delete from {$g5['g5_shop_item_qa_table']} where iq_id = '{$_POST['iq_id'][$k]}' ";
+        $sql = "delete from {$g5['g5_shop_item_qa_table']} where iq_id = '{$iiq_id}' ";
         sql_query($sql);
     }
 }

diff --git a/adm/shop_admin/itemstocklistupdate.php b/adm/shop_admin/itemstocklistupdate.php
@@ -12,12 +12,12 @@
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
     $sql = "update {$g5['g5_shop_item_table']}
-               set it_stock_qty    = '{$_POST['it_stock_qty'][$i]}',
-                   it_noti_qty     = '{$_POST['it_noti_qty'][$i]}',
-                   it_use          = '{$_POST['it_use'][$i]}',
-                   it_soldout      = '{$_POST['it_soldout'][$i]}',
-                   it_stock_sms    = '{$_POST['it_stock_sms'][$i]}'
-             where it_id = '{$_POST['it_id'][$i]}' ";
+               set it_stock_qty    = '".sql_real_escape_string($_POST['it_stock_qty'][$i])."',
+                   it_noti_qty     = '".sql_real_escape_string($_POST['it_noti_qty'][$i])."',
+                   it_use          = '".sql_real_escape_string($_POST['it_use'][$i])."',
+                   it_soldout      = '".sql_real_escape_string($_POST['it_soldout'][$i])."',
+                   it_stock_sms    = '".sql_real_escape_string($_POST['it_stock_sms'][$i])."'
+             where it_id = '".sql_real_escape_string($_POST['it_id'][$i])."' ";
     sql_query($sql);
 }
 

diff --git a/adm/shop_admin/itemstocksmsupdate.php b/adm/shop_admin/itemstocksmsupdate.php
@@ -20,10 +20,11 @@
 
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
+        $sss_id = (int) $_POST['ss_id'][$k];
 
         $sql = " select a.ss_id, a.ss_hp, a.ss_send, b.it_id, b.it_name
                     from {$g5['g5_shop_item_stocksms_table']} a left join {$g5['g5_shop_item_table']} b on ( a.it_id = b.it_id )
-                    where a.ss_id = '{$_POST['ss_id'][$k]}' ";
+                    where a.ss_id = '$sss_id' ";
         $row = sql_fetch($sql);
 
         if(!$row['ss_id'] || !$row['it_id'] || $row['ss_send'])
@@ -43,7 +44,7 @@
         $sql = " update {$g5['g5_shop_item_stocksms_table']}
                     set ss_send = '1',
                         ss_send_time = '".G5_TIME_YMDHIS."'
-                    where ss_id = '{$_POST['ss_id'][$k]}' ";
+                    where ss_id = '{$sss_id}' ";
         sql_query($sql);
     }
 
@@ -105,8 +106,9 @@
     for ($i=0; $i<count($_POST['chk']); $i++) {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
+        $sss_id = (int) $_POST['ss_id'][$k];
 
-        $sql = " delete from {$g5['g5_shop_item_stocksms_table']} where ss_id = '{$_POST['ss_id'][$k]}' ";
+        $sql = " delete from {$g5['g5_shop_item_stocksms_table']} where ss_id = '{$sss_id}' ";
         sql_query($sql);
     }
 }

diff --git a/adm/shop_admin/itemtypelistupdate.php b/adm/shop_admin/itemtypelistupdate.php
@@ -11,12 +11,12 @@
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
     $sql = "update {$g5['g5_shop_item_table']}
-               set it_type1 = '{$_POST['it_type1'][$i]}',
-                   it_type2 = '{$_POST['it_type2'][$i]}',
-                   it_type3 = '{$_POST['it_type3'][$i]}',
-                   it_type4 = '{$_POST['it_type4'][$i]}',
-                   it_type5 = '{$_POST['it_type5'][$i]}'
-             where it_id = '{$_POST['it_id'][$i]}' ";
+               set it_type1 = '".sql_real_escape_string($_POST['it_type1'][$i])."',
+                   it_type2 = '".sql_real_escape_string($_POST['it_type2'][$i])."',
+                   it_type3 = '".sql_real_escape_string($_POST['it_type3'][$i])."',
+                   it_type4 = '".sql_real_escape_string($_POST['it_type4'][$i])."',
+                   it_type5 = '".sql_real_escape_string($_POST['it_type5'][$i])."'
+             where it_id = '".sql_real_escape_string($_POST['it_id'][$i])."' ";
     sql_query($sql);
 }
 

diff --git a/adm/shop_admin/itemuselistupdate.php b/adm/shop_admin/itemuselistupdate.php
@@ -21,23 +21,29 @@
 for ($i=0; $i<count($_POST['chk']); $i++)
 {
     $k = $_POST['chk'][$i]; // 실제 번호를 넘김
+    $iit_id = isset($_POST['it_id'][$k]) ? preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$k]) : '';
+    $iis_id = isset($_POST['is_id'][$k]) ? (int) $_POST['is_id'][$k] : 0;
+    $iis_score = isset($_POST['is_score'][$k]) ? (int) $_POST['is_score'][$k] : 0;
+    $iis_confirm = isset($_POST['is_confirm'][$k]) ? (int) $_POST['is_confirm'][$k] : 0;
 
     if ($_POST['act_button'] == "선택수정")
     {
         $sql = "update {$g5['g5_shop_item_use_table']}
-                   set is_score   = '{$_POST['is_score'][$k]}',
-                       is_confirm = '{$_POST['is_confirm'][$k]}'
-                 where is_id      = '{$_POST['is_id'][$k]}' ";
+                   set is_score   = '{$iis_score}',
+                       is_confirm = '{$iis_confirm}'
+                 where is_id      = '{$iis_id}' ";
         sql_query($sql);
     }
     else if ($_POST['act_button'] == "선택삭제")
     {
-        $sql = "delete from {$g5['g5_shop_item_use_table']} where is_id = '{$_POST['is_id'][$k]}' ";
+        $sql = "delete from {$g5['g5_shop_item_use_table']} where is_id = '{$iis_id}' ";
         sql_query($sql);
     }
-
-    update_use_cnt($_POST['it_id'][$k]);
-    update_use_avg($_POST['it_id'][$k]);
+
+    if($iit_id){
+        update_use_cnt($iit_id);
+        update_use_avg($iit_id);
+    }
 }
 
 goto_url("./itemuselist.php?sca=$sca&amp;sst=$sst&amp;sod=$sod&amp;sfl=$sfl&amp;stx=$stx&amp;page=$page");

diff --git a/adm/shop_admin/optionstocklistupdate.php b/adm/shop_admin/optionstocklistupdate.php
@@ -12,12 +12,12 @@
 for ($i=0; $i<count($_POST['it_id']); $i++)
 {
     $sql = "update {$g5['g5_shop_item_option_table']}
-               set io_stock_qty    = '{$_POST['io_stock_qty'][$i]}',
-                   io_noti_qty     = '{$_POST['io_noti_qty'][$i]}',
-                   io_use = '{$_POST['io_use'][$i]}'
-             where it_id = '{$_POST['it_id'][$i]}'
-               and io_id = '{$_POST['io_id'][$i]}'
-               and io_type = '{$_POST['io_type'][$i]}' ";
+               set io_stock_qty    = '".sql_real_escape_string($_POST['io_stock_qty'][$i])."',
+                   io_noti_qty     = '".sql_real_escape_string($_POST['io_noti_qty'][$i])."',
+                   io_use = '".sql_real_escape_string($_POST['io_use'][$i])."'
+             where it_id = '".sql_real_escape_string($_POST['it_id'][$i])."'
+               and io_id = '".sql_real_escape_string($_POST['io_id'][$i])."'
+               and io_type = '".sql_real_escape_string($_POST['io_type'][$i])."' ";
     sql_query($sql);
 }
 

diff --git a/adm/shop_admin/personalpaylistdelete.php b/adm/shop_admin/personalpaylistdelete.php
@@ -16,8 +16,9 @@
 {
     // 실제 번호를 넘김
     $k = $_POST['chk'][$i];
+    $ppp_id = (int) $_POST['pp_id'][$k];
 
-    $sql = " delete from {$g5['g5_shop_personalpay_table']} where pp_id = '{$_POST['pp_id'][$k]}' ";
+    $sql = " delete from {$g5['g5_shop_personalpay_table']} where pp_id = '{$ppp_id}' ";
     sql_query($sql);
 }