관리자 CSRF 취약점 수정

gnuboard · Nov 24, 2015 · 8b3a573 · 8b3a573
1 parent fe3b84e
commit 8b3a573
Show file tree

Hide file tree

Showing 91 changed files with 265 additions and 91 deletions.
diff --git a/adm/admin.js b/adm/admin.js
@@ -57,12 +57,20 @@ function is_checked(elements_name)
     return checked;
 }
 
-function delete_confirm()
+function delete_confirm(el)
 {
-    if(confirm("한번 삭제한 자료는 복구할 방법이 없습니다.\n\n정말 삭제하시겠습니까?"))
+    if(confirm("한번 삭제한 자료는 복구할 방법이 없습니다.\n\n정말 삭제하시겠습니까?")) {
+        var token = get_ajax_token();
+        var href = el.href.replace(/&token=.+$/g, "");
+        if(!token) {
+            alert("토큰 정보가 올바르지 않습니다.");
+            return false;
+        }
+        el.href = href+"&token="+token;
         return true;
-    else
+    } else {
         return false;
+    }
 }
 
 function delete_confirm2(msg)
@@ -71,4 +79,51 @@ function delete_confirm2(msg)
         return true;
     else
         return false;
-}
+}
+
+function get_ajax_token()
+{
+    var token = "";
+
+    $.ajax({
+        type: "POST",
+        url: g5_admin_url+"/ajax.token.php",
+        cache: false,
+        async: false,
+        dataType: "json",
+        success: function(data) {
+            if(data.error) {
+                alert(data.error);
+                if(data.url)
+                    document.location.href = data.url;
+
+                return false;
+            }
+
+            token = data.token;
+        }
+    });
+
+    return token;
+}
+
+$(function() {
+    $(document).on("click", "form input:submit", function() {
+        var f = this.form;
+        var token = get_ajax_token();
+
+        if(!token) {
+            alert("토큰 정보가 올바르지 않습니다.");
+            return false;
+        }
+
+        var $f = $(f);
+
+        if(typeof f.token === "undefined")
+            $f.prepend('<input type="hidden" name="token" value="">');
+
+        $f.find("input[name=token]").val(token);
+
+        return true;
+    });
+});
diff --git a/adm/admin.lib.php b/adm/admin.lib.php
@@ -346,6 +346,54 @@ function order_select($fld, $sel='')
     return $s;
 }
 
+// 불법접근을 막도록 토큰을 생성하면서 토큰값을 리턴
+function get_admin_token()
+{
+    $token = md5(uniqid(rand(), true));
+    set_session('ss_admin_token', $token);
+
+    return $token;
+}
+
+
+// POST로 넘어온 토큰과 세션에 저장된 토큰 비교
+function check_admin_token()
+{
+    $token = get_session('ss_admin_token');
+    set_session('ss_admin_token', '');
+
+    if(!$token || !$_REQUEST['token'] || $token != $_REQUEST['token'])
+        alert('올바른 방법으로 이용해 주십시오.');
+
+    return true;
+}
+
+// 관리자 페이지 referer 체크
+function admin_referer_check($return=false)
+{
+    $referer = trim($_SERVER['HTTP_REFERER']);
+    if(!$referer) {
+        $msg = '정보가 올바르지 않습니다.';
+
+        if($return)
+            return $msg;
+        else
+            alert($msg, G5_URL);
+    }
+
+    $p = @parse_url($referer);
+    $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
+
+    if($host != $p['host']) {
+        $msg = '올바른 방법으로 이용해 주십시오.';
+
+        if($return)
+            return $msg;
+        else
+            alert($msg, G5_URL);
+    }
+}
+
 // 접근 권한 검사
 if (!$member['mb_id'])
 {

diff --git a/adm/ajax.token.php b/adm/ajax.token.php
@@ -0,0 +1,14 @@
+<?php
+include_once('./_common.php');
+include_once(G5_LIB_PATH.'/json.lib.php');
+
+set_session('ss_admin_token', '');
+
+$error = admin_referer_check(true);
+if($error)
+    die(json_encode(array('error'=>$error, 'url'=>G5_URL)));
+
+$token = get_admin_token();
+
+die(json_encode(array('error'=>'', 'token'=>$token, 'url'=>'')));
+?>
diff --git a/adm/auth_list.php b/adm/auth_list.php
@@ -5,8 +5,6 @@
 if ($is_admin != 'super')
     alert('최고관리자만 접근 가능합니다.');
 
-$token = get_token();
-
 $sql_common = " from {$g5['auth_table']} a left join {$g5['member_table']} b on (a.mb_id=b.mb_id) ";
 
 $sql_search = " where (1) ";
@@ -73,7 +71,7 @@
 <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
 <input type="hidden" name="stx" value="<?php echo $stx ?>">
 <input type="hidden" name="page" value="<?php echo $page ?>">
-<input type="hidden" name="token" value="<?php echo $token ?>">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_head01 tbl_wrap">
     <table>
@@ -168,7 +166,7 @@
 <input type="hidden" name="sst" value="<?php echo $sst ?>">
 <input type="hidden" name="sod" value="<?php echo $sod ?>">
 <input type="hidden" name="page" value="<?php echo $page ?>">
-<input type="hidden" name="token" value="<?php echo $token ?>">
+<input type="hidden" name="token" value="">
 
 <section id="add_admin">
     <h2 class="h2_frm">관리권한 추가</h2>

diff --git a/adm/auth_list_delete.php b/adm/auth_list_delete.php
@@ -7,7 +7,7 @@
 if ($is_admin != 'super')
     alert('최고관리자만 접근 가능합니다.');
 
-check_token();
+check_admin_token();
 
 $count = count($_POST['chk']);
 

diff --git a/adm/auth_update.php b/adm/auth_update.php
@@ -9,7 +9,7 @@
 if (!$mb['mb_id'])
     alert('존재하는 회원아이디가 아닙니다.');
 
-check_token();
+check_admin_token();
 
 $sql = " insert into {$g5['auth_table']}
             set mb_id   = '{$_POST['mb_id']}',

diff --git a/adm/board_copy.php b/adm/board_copy.php
@@ -8,11 +8,14 @@
 include_once(G5_PATH.'/head.sub.php');
 ?>
 
+<script src="<?php echo G5_ADMIN_URL ?>/admin.js"></script>
+
 <div class="new_win">
     <h1><?php echo $g5['title']; ?></h1>
 
     <form name="fboardcopy" id="fboardcopy" action="./board_copy_update.php" onsubmit="return fboardcopy_check(this);" method="post">
     <input type="hidden" name="bo_table" value="<?php echo $bo_table ?>" id="bo_table">
+    <input type="hidden" name="token" value="">
 
     <div class="tbl_frm01 tbl_wrap">
         <table>

diff --git a/adm/board_copy_update.php b/adm/board_copy_update.php
@@ -4,6 +4,8 @@
 
 auth_check($auth[$sub_menu], 'w');
 
+check_admin_token();
+
 $target_table   = trim($_POST['target_table']);
 $target_subject = trim($_POST['target_subject']);
 

diff --git a/adm/board_form.php b/adm/board_form.php
@@ -166,6 +166,7 @@
 <input type="hidden" name="sst" value="<?php echo $sst ?>">
 <input type="hidden" name="sod" value="<?php echo $sod ?>">
 <input type="hidden" name="page" value="<?php echo $page ?>">
+<input type="hidden" name="token" value="">
 
 <section id="anc_bo_basic">
     <h2 class="h2_frm">게시판 기본 설정</h2>

diff --git a/adm/board_form_update.php b/adm/board_form_update.php
@@ -7,6 +7,8 @@
 
 auth_check($auth[$sub_menu], 'w');
 
+check_admin_token();
+
 if (!$_POST['gr_id']) { alert('그룹 ID는 반드시 선택하세요.'); }
 if (!$bo_table) { alert('게시판 TABLE명은 반드시 입력하세요.'); }
 if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); }

diff --git a/adm/board_list_update.php b/adm/board_list_update.php
@@ -51,7 +51,7 @@
 
     auth_check($auth[$sub_menu], 'd');
 
-    check_token();
+    check_admin_token();
 
     // _BOARD_DELETE_ 상수를 선언해야 board_delete.inc.php 가 정상 작동함
     define('_BOARD_DELETE_', true);

diff --git a/adm/boardgroup_form.php b/adm/boardgroup_form.php
@@ -38,6 +38,7 @@
 <input type="hidden" name="sst" value="<?php echo $sst ?>">
 <input type="hidden" name="sod" value="<?php echo $sod ?>">
 <input type="hidden" name="page" value="<?php echo $page ?>">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_frm01 tbl_wrap">
     <table>

diff --git a/adm/boardgroup_form_update.php b/adm/boardgroup_form_update.php
@@ -9,6 +9,8 @@
 
 if ($is_admin != 'super' && $w == '') alert('최고관리자만 접근 가능합니다.');
 
+check_admin_token();
+
 if (!preg_match("/^([A-Za-z0-9_]{1,10})$/", $_POST['gr_id']))
     alert('그룹 ID는 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (10자 이내)');
 

diff --git a/adm/boardgroup_list.php b/adm/boardgroup_list.php
@@ -88,7 +88,7 @@
 <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
 <input type="hidden" name="stx" value="<?php echo $stx ?>">
 <input type="hidden" name="page" value="<?php echo $page ?>">
-<input type="hidden" name="token" value="<?php echo $token ?>">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_head01 tbl_wrap">
     <table>

diff --git a/adm/boardgroup_list_update.php b/adm/boardgroup_list_update.php
@@ -8,6 +8,8 @@
 
 auth_check($auth[$sub_menu], 'w');
 
+check_admin_token();
+
 $count = count($_POST['chk']);
 
 if(!$count)

diff --git a/adm/boardgroupmember_form.php b/adm/boardgroupmember_form.php
@@ -4,8 +4,6 @@
 
 auth_check($auth[$sub_menu], 'w');
 
-$token = get_token();
-
 $mb = get_member($mb_id);
 if (!$mb['mb_id'])
     alert('존재하지 않는 회원입니다.');
@@ -18,7 +16,7 @@
 
 <form name="fboardgroupmember_form" id="fboardgroupmember_form" action="./boardgroupmember_update.php" onsubmit="return boardgroupmember_form_check(this)" method="post">
 <input type="hidden" name="mb_id" value="<?php echo $mb['mb_id'] ?>" id="mb_id">
-<input type="hidden" name="token" value="<?php echo $token ?>" id="token">
+<input type="hidden" name="token" value="" id="token">
 <div class="local_cmd01 local_cmd">
     <p>아이디 <b><?php echo $mb['mb_id'] ?></b>, 이름 <b><?php echo get_text($mb['mb_name']); ?></b>, 닉네임 <b><?php echo $mb['mb_nick'] ?></b></p>
     <label for="gr_id">그룹지정</label>

diff --git a/adm/boardgroupmember_update.php b/adm/boardgroupmember_update.php
@@ -28,7 +28,7 @@
     }
     else
     {
-        check_token();
+        check_admin_token();
 
         $sql = " insert into {$g5['group_member_table']}
                     set gr_id = '{$_POST['gr_id']}',
@@ -45,7 +45,7 @@
     if(!$count)
         alert('삭제할 목록을 하나이상 선택해 주세요.');
 
-    check_token();
+    check_admin_token();
 
     for($i=0; $i<$count; $i++) {
         $gm_id = $_POST['chk'][$i];

diff --git a/adm/config_form.php b/adm/config_form.php
@@ -4,8 +4,6 @@
 
 auth_check($auth[$sub_menu], 'r');
 
-$token = get_token();
-
 if ($is_admin != 'super')
     alert('최고관리자만 접근 가능합니다.');
 
@@ -229,7 +227,7 @@
 ?>
 
 <form name="fconfigform" id="fconfigform" method="post" onsubmit="return fconfigform_submit(this);">
-<input type="hidden" name="token" value="<?php echo $token ?>" id="token">
+<input type="hidden" name="token" value="" id="token">
 
 <section id="anc_cf_basic">
     <h2 class="h2_frm">홈페이지 기본환경 설정</h2>

diff --git a/adm/config_form_update.php b/adm/config_form_update.php
@@ -13,7 +13,7 @@
 if (!$mb['mb_id'])
     alert('최고관리자 회원아이디가 존재하지 않습니다.');
 
-check_token();
+check_admin_token();
 
 // 본인확인을 사용할 경우 아이핀, 휴대폰인증 중 하나는 선택되어야 함
 if($_POST['cf_cert_use'] && !$_POST['cf_cert_ipin'] && !$_POST['cf_cert_hp'])

diff --git a/adm/contentform.php b/adm/contentform.php
@@ -60,6 +60,7 @@
 <form name="frmcontentform" action="./contentformupdate.php" onsubmit="return frmcontentform_check(this);" method="post" enctype="MULTIPART/FORM-DATA" >
 <input type="hidden" name="w" value="<?php echo $w; ?>">
 <input type="hidden" name="co_html" value="1">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_frm01 tbl_wrap">
     <table>

diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php
@@ -10,6 +10,8 @@
 else
     auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 @mkdir(G5_DATA_PATH."/content", G5_DIR_PERMISSION);
 @chmod(G5_DATA_PATH."/content", G5_DIR_PERMISSION);
 

diff --git a/adm/contentlist.php b/adm/contentlist.php
@@ -78,7 +78,7 @@
         <td class="td_mng">
             <a href="./contentform.php?w=u&amp;co_id=<?php echo $row['co_id']; ?>"><span class="sound_only"><?php echo htmlspecialchars2($row['co_subject']); ?> </span>수정</a>
             <a href="<?php echo G5_BBS_URL; ?>/content.php?co_id=<?php echo $row['co_id']; ?>"><span class="sound_only"><?php echo htmlspecialchars2($row['co_subject']); ?> </span> 보기</a>
-            <a href="./contentformupdate.php?w=d&amp;co_id=<?php echo $row['co_id']; ?>" onclick="return delete_confirm();"><span class="sound_only"><?php echo htmlspecialchars2($row['co_subject']); ?> </span>삭제</a>
+            <a href="./contentformupdate.php?w=d&amp;co_id=<?php echo $row['co_id']; ?>" onclick="return delete_confirm(this);"><span class="sound_only"><?php echo htmlspecialchars2($row['co_subject']); ?> </span>삭제</a>
         </td>
     </tr>
     <?php

diff --git a/adm/faqform.php b/adm/faqform.php
@@ -31,6 +31,7 @@
 <input type="hidden" name="w" value="<?php echo $w; ?>">
 <input type="hidden" name="fm_id" value="<?php echo $fm_id; ?>">
 <input type="hidden" name="fa_id" value="<?php echo $fa_id; ?>">
+<input type="hidden" name="token" value="">
 
 <div class="tbl_frm01 tbl_wrap">
     <table>

diff --git a/adm/faqformupdate.php b/adm/faqformupdate.php
@@ -10,6 +10,8 @@
 else
     auth_check($auth[$sub_menu], "w");
 
+check_admin_token();
+
 $sql_common = " fa_subject = '$fa_subject',
                 fa_content = '$fa_content',
                 fa_order = '$fa_order' ";

diff --git a/adm/faqlist.php b/adm/faqlist.php
@@ -69,7 +69,7 @@
         <td class="td_num"><?php echo $row['fa_order']; ?></td>
         <td class="td_mngsmall">
             <a href="./faqform.php?w=u&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>"><span class="sound_only"><?php echo stripslashes($row['fa_subject']); ?> </span>수정</a>
-            <a href="javascript:del('./faqformupdate.php?w=d&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>');"><span class="sound_only"><?php echo stripslashes($row['fa_subject']); ?> </span>삭제</a>
+            <a href="./faqformupdate.php?w=d&amp;fm_id=<?php echo $row['fm_id']; ?>&amp;fa_id=<?php echo $row['fa_id']; ?>" onclick="return delete_confirm(this);"><span class="sound_only"><?php echo stripslashes($row['fa_subject']); ?> </span>삭제</a>
         </td>
     </tr>