Skip to content
This repository has been archived by the owner on Jun 24, 2021. It is now read-only.

Commit

Permalink
영카트 Reflected XSS 취약점 수정( 17-0558 )
Browse files Browse the repository at this point in the history
  • Loading branch information
@thisgun
thisgun committed Sep 11, 2017
1 parent 71c5a40 commit adc0c4f
Show file tree
Hide file tree
Showing 8 changed files with 19 additions and 6 deletions.
2 changes: 2 additions & 0 deletions adm/shop_admin/bannerformupdate.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
}
}

$bn_url = clean_xss_tags($bn_url);

if ($w=="")
{
if (!$bn_bimg_name) alert('배너 이미지를 업로드 하세요.');
Expand Down
2 changes: 1 addition & 1 deletion mobile/skin/shop/basic/mainbanner.10.skin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>';
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
}
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner)
Expand Down
11 changes: 11 additions & 0 deletions shop/bannerhit.php
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
<?php
include_once("./_common.php");

$bn_id = (int) $bn_id;

$sql = " select bn_id, bn_url from {$g5['g5_shop_banner_table']} where bn_id = '$bn_id' ";
$row = sql_fetch($sql);

if( ! $row['bn_id'] ){
alert('해당 배너가 존재하지 않습니다.', G5_SHOP_URL);
}

if ($_COOKIE['ck_bn_id'] != $bn_id)
{
$sql = " update {$g5['g5_shop_banner_table']} set bn_hit = bn_hit + 1 where bn_id = '$bn_id' ";
Expand All @@ -9,5 +18,7 @@
set_cookie("ck_bn_id", $bn_id, 60*60*24);
}

$url = clean_xss_tags($row['bn_url']);

goto_url($url);
?>
2 changes: 1 addition & 1 deletion skin/shop/basic/boxbanner.skin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>';
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
}
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" alt="'.$row['bn_alt'].'" width="'.$size[0].'" height="'.$size[1].'"'.$bn_border.'>';
if($banner)
Expand Down
2 changes: 1 addition & 1 deletion skin/shop/basic/mainbanner.10.skin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>';
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
}
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner)
Expand Down
2 changes: 1 addition & 1 deletion theme/basic/mobile/skin/shop/basic/mainbanner.10.skin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>';
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
}
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner)
Expand Down
2 changes: 1 addition & 1 deletion theme/basic/skin/shop/basic/boxbanner.skin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>';
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
}
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" alt="'.$row['bn_alt'].'" width="'.$size[0].'" height="'.$size[1].'"'.$bn_border.'>';
if($banner)
Expand Down
2 changes: 1 addition & 1 deletion theme/basic/skin/shop/basic/mainbanner.10.skin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
if ($row['bn_url'][0] == '#')
$banner .= '<a href="'.$row['bn_url'].'">';
else if ($row['bn_url'] && $row['bn_url'] != 'http://') {
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'&amp;url='.urlencode($row['bn_url']).'"'.$bn_new_win.'>';
$banner .= '<a href="'.G5_SHOP_URL.'/bannerhit.php?bn_id='.$row['bn_id'].'"'.$bn_new_win.'>';
}
echo $banner.'<img src="'.G5_DATA_URL.'/banner/'.$row['bn_id'].'" width="'.$size[0].'" alt="'.$row['bn_alt'].'"'.$bn_border.'>';
if($banner)
Expand Down

0 comments on commit adc0c4f

Please sign in to comment.