Unrated severityOSV Advisory· Published Apr 26, 2019· Updated Aug 5, 2024
CVE-2018-15580
CVE-2018-15580
Description
Cross-Site Scripting (XSS) vulnerability in adm/contentformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.
Affected products
1Patches
25be739934b3cMerge branch 'master' of github.com:gnuboard/g5
36 files changed · +88 −63
adm/board_form_update.php+9 −9 modified@@ -14,19 +14,19 @@ if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); } if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); } -$_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255)); -$_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255)); +$bo_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_head, 0, 255)); +$bo_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_tail, 0, 255)); // 관리자가 자동등록방지를 사용해야 할 경우 -if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if ($board && ($board['bo_include_head'] !== $bo_include_head || $board['bo_include_tail'] !== $bo_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) { alert('자동등록방지 숫자가 틀렸습니다.'); } } -if ($file = $_POST['bo_include_head']) { +if ($file = $bo_include_head) { $file_ext = pathinfo($file, PATHINFO_EXTENSION); if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) { @@ -35,7 +35,7 @@ $_POST['bo_include_head'] = $file; } -if ($file = $_POST['bo_include_tail']) { +if ($file = $bo_include_tail) { $file_ext = pathinfo($file, PATHINFO_EXTENSION); if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) { @@ -44,11 +44,11 @@ $_POST['bo_include_tail'] = $file; } -if(!is_include_path_check($_POST['bo_include_head'], 1)) { +if(!is_include_path_check($bo_include_head, 1)) { alert('상단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } -if(!is_include_path_check($_POST['bo_include_tail'], 1)) { +if(!is_include_path_check($bo_include_tail, 1)) { alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } @@ -125,8 +125,8 @@ // 최고 관리자인 경우에만 수정가능 if ($is_admin === 'super'){ -$sql_common .= " bo_include_head = '{$_POST['bo_include_head']}', - bo_include_tail = '{$_POST['bo_include_tail']}', +$sql_common .= " bo_include_head = '".$bo_include_head."', + bo_include_tail = '".$bo_include_tail."', bo_content_head = '{$_POST['bo_content_head']}', bo_content_tail = '{$_POST['bo_content_tail']}', bo_mobile_content_head = '{$_POST['bo_mobile_content_head']}',
adm/boardgroup_form.php+1 −1 modified@@ -12,7 +12,7 @@ if ($w == '') { $gr_id_attr = 'required'; $sound_only = '<strong class="sound_only"> 필수</strong>'; - $gr['gr_use_access'] = 0; + $gr = array('gr_use_access' => 0); $html_title .= ' 생성'; } else if ($w == 'u') { $gr_id_attr = 'readonly';
adm/boardgroup_form_update.php+3 −1 modified@@ -16,7 +16,9 @@ if (!$gr_subject) alert('그룹 제목을 입력하세요.'); -$sql_common = " gr_subject = '{$_POST['gr_subject']}', +$gr_subject = isset($_POST['gr_subject']) ? strip_tags($_POST['gr_subject']) : ''; + +$sql_common = " gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device']}', gr_admin = '{$_POST['gr_admin']}', gr_1_subj = '{$_POST['gr_1_subj']}',
adm/boardgroup_list_update.php+2 −1 modified@@ -19,10 +19,11 @@ { $k = $_POST['chk'][$i]; $gr_id = $_POST['group_id'][$k]; + $gr_subject = strip_tags($_POST['gr_subject'][$k]); if($_POST['act_button'] == '선택수정') { $sql = " update {$g5['group_table']} - set gr_subject = '{$_POST['gr_subject'][$k]}', + set gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device'][$k]}', gr_admin = '{$_POST['gr_admin'][$k]}', gr_use_access = '{$_POST['gr_use_access'][$k]}',
adm/contentform.php+5 −3 modified@@ -49,9 +49,11 @@ else { $html_title .= ' 입력'; - $co['co_html'] = 2; - $co['co_skin'] = 'basic'; - $co['co_mobile_skin'] = 'basic'; + $co = array( + 'co_html' => 2, + 'co_skin' => 'basic', + 'co_mobile_skin' => 'basic' + ); } include_once (G5_ADMIN_PATH.'/admin.head.php');
adm/contentformupdate.php+5 −1 modified@@ -20,8 +20,12 @@ $co_row = sql_fetch($sql); } +$co_subject = strip_tags($co_subject); +$co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255)); +$co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255)); + // 관리자가 자동등록방지를 사용해야 할 경우 -if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if (($co_row['co_include_head'] !== $co_include_head || $co_row['co_include_tail'] !== $co_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) {
adm/faqmasterform.php+1 −0 modified@@ -21,6 +21,7 @@ else { $html_title .= ' 입력'; + $fm = array(); } $g5['title'] = $html_title.' 관리';
adm/faqmasterformupdate.php+2 −0 modified@@ -18,6 +18,8 @@ if ($fm_himg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_h"); if ($fm_timg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_t"); +$fm_subject = strip_tags($fm_subject); + $sql_common = " set fm_subject = '$fm_subject', fm_head_html = '$fm_head_html', fm_tail_html = '$fm_tail_html',
adm/newwinform.php+1 −1 modified@@ -109,7 +109,7 @@ <tr> <th scope="row"><label for="nw_subject">팝업 제목<strong class="sound_only"> 필수</strong></label></th> <td> - <input type="text" name="nw_subject" value="<?php echo stripslashes($nw['nw_subject']) ?>" id="nw_subject" required class="frm_input required" size="80"> + <input type="text" name="nw_subject" value="<?php echo get_sanitize_input($nw['nw_subject']); ?>" id="nw_subject" required class="frm_input required" size="80"> </td> </tr> <tr>
adm/newwinformupdate.php+3 −1 modified@@ -12,6 +12,8 @@ check_admin_token(); +$nw_subject = isset($_POST['nw_subject']) ? strip_tags($_POST['nw_subject']) : ''; + $sql_common = " nw_device = '{$_POST['nw_device']}', nw_begin_time = '{$_POST['nw_begin_time']}', nw_end_time = '{$_POST['nw_end_time']}', @@ -20,7 +22,7 @@ nw_top = '{$_POST['nw_top']}', nw_height = '{$_POST['nw_height']}', nw_width = '{$_POST['nw_width']}', - nw_subject = '{$_POST['nw_subject']}', + nw_subject = '{$nw_subject}', nw_content = '{$_POST['nw_content']}', nw_content_html = '{$_POST['nw_content_html']}' ";
adm/point_update.php+3 −3 modified@@ -6,9 +6,9 @@ check_admin_token(); -$mb_id = $_POST['mb_id']; -$po_point = $_POST['po_point']; -$po_content = $_POST['po_content']; +$mb_id = strip_tags($_POST['mb_id']); +$po_point = strip_tags($_POST['po_point']); +$po_content = strip_tags($_POST['po_content']); $expire = preg_replace('/[^0-9]/', '', $_POST['po_expire_term']); $mb = get_member($mb_id);
adm/qa_config_update.php+4 −1 modified@@ -12,8 +12,11 @@ $qaconfig = get_qa_config(); +$qa_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_head, 0, 255)); +$qa_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_tail, 0, 255)); + // 관리자가 자동등록방지를 사용해야 할 경우 -if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if ($board && ($qaconfig['qa_include_head'] !== $qa_include_head || $qaconfig['qa_include_tail'] !== $qa_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) {
adm/sms_admin/history_num.php+1 −1 modified@@ -27,7 +27,7 @@ include_once(G5_ADMIN_PATH.'/admin.head.php'); ?> -<form name="search_form" method="get" action="<?echo $_SERVER['SCRIPT_NAME']?>" class="local_sch01 local_sch" > +<form name="search_form" method="get" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" class="local_sch01 local_sch" > <label for="st" class="sound_only">검색대상</label> <select name="st" id="st"> <option value="hs_name"<?php echo get_selected('hs_name', $st); ?>>이름</option>
adm/sms_admin/num_book_update.php+2 −0 modified@@ -21,6 +21,8 @@ if (!strlen(trim($bk_name))) alert('이름을 입력해주세요'); + $bk_name = strip_tags($bk_name); + if ($bk_hp == '') alert('휴대폰번호만 입력 가능합니다.'); /*
adm/sms_admin/num_book_write.php+6 −8 modified@@ -30,7 +30,7 @@ $g5['title'] .= '수정'; } else { - $write['bg_no'] = $bg_no; + $write = array('bg_no' => (int) $bg_no); $g5['title'] .= '추가'; } @@ -43,12 +43,12 @@ ?> <form name="book_form" id="book_form" method="post" action="./num_book_update.php"> -<input type="hidden" name="w" value="<?php echo $w?>"> -<input type="hidden" name="page" value="<?php echo $page?>"> -<input type="hidden" name="ap" value="<?php echo $ap?>"> +<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>"> +<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>"> +<input type="hidden" name="ap" value="<?php echo get_sanitize_input($ap); ?>"> <input type="hidden" name="bk_no" value="<?php echo $write['bk_no']?>"> <input type="hidden" name="mb_id" id="mb_id" value="<?php echo $write['mb_id']?>"> -<input type="hidden" name="get_bg_no" value="<?php echo $bg_no?>"> +<input type="hidden" name="get_bg_no" value="<?php echo get_sanitize_input($bg_no); ?>"> <div class="tbl_frm01 tbl_wrap"> <table> @@ -74,7 +74,7 @@ </tr> <tr> <th scope="row"><label for="bk_name">이름<strong class="sound_only"> 필수</strong></label></th> - <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo $write['bk_name']?>" required class="frm_input required"></td> + <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo get_sanitize_input($write['bk_name']); ?>" required class="frm_input required"></td> </tr> <tr> <th scope="row"><label for="bk_hp">휴대폰번호<strong class="sound_only"> 필수</strong></label></th> @@ -187,14 +187,12 @@ function book_submit(){ if($check_msg.size()> 0) $check_msg.remove(); -// $("#exist_msg").text("<?php echo $exist_msg_2; ?>"); is_submit = true; } else { if($check_msg.size() < 1) $("input#bk_hp").after("<div id=\"hp_check_el\"><h3>이 번호를 쓰는 회원 정보</h3><ul></ul></div>"); $("#hp_check_el").find("ul").html( list_text ); -// $("#exist_msg").html("<?php echo $exist_msg_1 ?>"); if(confirm("회원 정보에 중복 휴대폰 번호가 있습니다.수정하실 경우 회원정보에 반영되지 않습니다.\n수정하시겠습니까?")) is_submit = true;
bbs/formmail_send.php+3 −4 modified@@ -12,14 +12,13 @@ $email_enc = new str_encrypt(); $to = $email_enc->decrypt($to); -if (substr_count($to, "@") > 1) - alert_close('한번에 한사람에게만 메일을 발송할 수 있습니다.'); - - if (!chk_captcha()) { alert('자동등록방지 숫자가 틀렸습니다.'); } +if (!preg_match("/([0-9a-zA-Z_-]+)@([0-9a-zA-Z_-]+)\.([0-9a-zA-Z_-]+)/", $to)){ + alert_close('E-mail 주소가 형식에 맞지 않아서, 메일을 보낼수 없습니다.'); +} $file = array(); for ($i=1; $i<=$attach; $i++) {
bbs/login_check.php+1 −1 modified@@ -72,7 +72,7 @@ // 3.27 // 자동로그인 --------------------------- // 쿠키 한달간 저장 - $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $mb['mb_password']); + $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['SERVER_SOFTWARE'] . $_SERVER['HTTP_USER_AGENT'] . $mb['mb_password']); set_cookie('ck_mb_id', $mb['mb_id'], 86400 * 31); set_cookie('ck_auto', $key, 86400 * 31); // 자동로그인 end ---------------------------
bbs/member_confirm.php+4 −0 modified@@ -24,6 +24,10 @@ // url 체크 check_url_host($url, '', G5_URL, true); +if( preg_match('#^/{3,}#', $url) ){ + $url = preg_replace('#^/{3,}#', '/', $url); +} + $url = get_text($url); include_once($member_skin_path.'/member_confirm.skin.php');
common.php+2 −1 modified@@ -374,7 +374,7 @@ function sql_escape_string($str) $sql = " select mb_password, mb_intercept_date, mb_leave_date, mb_email_certify from {$g5['member_table']} where mb_id = '{$tmp_mb_id}' "; $row = sql_fetch($sql); if($row['mb_password']){ - $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $row['mb_password']); + $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['SERVER_SOFTWARE'] . $_SERVER['HTTP_USER_AGENT'] . $row['mb_password']); // 쿠키에 저장된 키와 같다면 $tmp_key = get_cookie('ck_auto'); if ($tmp_key === $key && $tmp_key) { @@ -621,6 +621,7 @@ function sql_escape_string($str) foreach($extend_file as $file) { include_once(G5_EXTEND_PATH.'/'.$file); } + unset($file); } unset($extend_file);
config.php+1 −1 modified@@ -5,7 +5,7 @@ ********************/ define('G5_VERSION', '그누보드5'); -define('G5_GNUBOARD_VER', '5.3.1.5'); +define('G5_GNUBOARD_VER', '5.3.1.6'); // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 define('_GNUBOARD_', true);
js/kakaolink.js+16 −6 modified@@ -1,10 +1,20 @@ -function kakaolink_send(text, url) +function kakaolink_send(text, url, image) { + if( image === undefined ){ + image = ''; + } + // 카카오톡 링크 버튼을 생성합니다. 처음 한번만 호출하면 됩니다. - Kakao.Link.sendTalkLink({ - webLink : { - text: String(text), - url: url // 앱 설정의 웹 플랫폼에 등록한 도메인의 URL이어야 합니다. - } + Kakao.Link.sendDefault({ + objectType: 'feed', + content: { + title: String(text), + description: url, + imageUrl: image, + link: { + mobileWebUrl: url, + webUrl: url // 앱 설정의 웹 플랫폼에 등록한 도메인의 URL이어야 합니다. + } + } }); } \ No newline at end of file
lib/common.lib.php+5 −5 modified@@ -3269,7 +3269,7 @@ class str_encrypt function __construct($salt='') { if(!$salt) - $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), G5_MYSQL_PASSWORD)); + $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), $_SERVER['SERVER_SOFTWARE'].$_SERVER['DOCUMENT_ROOT'])); else $this->salt = $salt; @@ -3288,12 +3288,12 @@ function encrypt($str) $result .= $char; } - return base64_encode($result); + return strtr(base64_encode($result) , '+/=', '._-'); } function decrypt($str) { $result = ''; - $str = base64_decode($str); + $str = base64_decode(strtr($str, '._-', '+/=')); $length = strlen($str); for($i=0; $i<$length; $i++) { @@ -3438,7 +3438,7 @@ function is_include_path_check($path='', $is_input='') if( $path ){ if ($is_input){ - if( stripos($path, 'php://') !== false || stripos($path, 'zlib://') !== false || stripos($path, 'bzip2://') !== false || stripos($path, 'zip://') !== false || stripos($path, 'data:text/') !== false || stripos($path, 'data://') !== false ){ + if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){ return false; } @@ -3478,7 +3478,7 @@ function is_include_path_check($path='', $is_input='') return false; } - if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $path) ){ + if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){ return false; } }
mobile/skin/board/basic/list.skin.php+0 −1 modified@@ -76,7 +76,6 @@ <?php if ($list[$i]['is_notice']) { ?><strong class="notice_icon"><i class="fa fa-volume-up" aria-hidden="true"></i>공지</strong><?php } ?> <?php echo $list[$i]['subject'] ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
mobile/skin/board/basic/view.skin.php+1 −1 modified@@ -153,7 +153,7 @@ </section> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
mobile/skin/board/gallery/list.skin.php+0 −1 modified@@ -103,7 +103,6 @@ <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><?php echo $list[$i]['comment_cnt']; ?><span class="sound_only">개</span><?php } ?> </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
mobile/skin/board/gallery/view.skin.php+1 −1 modified@@ -153,7 +153,7 @@ </section> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
plugin/htmlpurifier/safeiframe.txt+3 −1 modified@@ -9,4 +9,6 @@ play.afreeca.com/ v.nate.com/ www.microsoft.com/showcase/video.aspx/ w.soundcloud.com/ -www.facebook.com/ \ No newline at end of file +www.facebook.com/ +kakaotv.daum.net/ +v.afree.ca/ \ No newline at end of file
plugin/sns/view.sns.skin.php+1 −1 modified@@ -23,7 +23,7 @@ ?> <?php if(G5_IS_MOBILE && $config['cf_kakao_js_apikey']) { ?> -<script src="https://developers.kakao.com/sdk/js/kakao.min.js"></script> +<script src="//developers.kakao.com/sdk/js/kakao.min.js"></script> <script src="<?php echo G5_JS_URL; ?>/kakaolink.js"></script> <script> // 사용할 앱의 Javascript 키를 설정해 주세요.
skin/board/basic/list.skin.php+0 −1 modified@@ -114,7 +114,6 @@ </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_file'])) echo rtrim($list[$i]['icon_file']); if (isset($list[$i]['icon_link'])) echo rtrim($list[$i]['icon_link']);
skin/board/basic/view.skin.php+1 −1 modified@@ -135,7 +135,7 @@ <!-- } 첨부파일 끝 --> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
skin/board/gallery/list.skin.php+0 −1 modified@@ -117,7 +117,6 @@ <?php echo $list[$i]['subject'] ?> <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><span class="cnt_cmt">+ <?php echo $list[$i]['wr_comment']; ?></span><span class="sound_only">개</span><?php } ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo rtrim($list[$i]['icon_new']);
skin/board/gallery/view.skin.php+1 −1 modified@@ -135,7 +135,7 @@ <!-- } 첨부파일 끝 --> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
theme/basic/mobile/skin/board/basic/list.skin.php+0 −1 modified@@ -76,7 +76,6 @@ <?php if ($list[$i]['is_notice']) { ?><strong class="notice_icon"><i class="fa fa-volume-up" aria-hidden="true"></i>공지</strong><?php } ?> <?php echo $list[$i]['subject'] ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
theme/basic/mobile/skin/board/gallery/list.skin.php+0 −1 modified@@ -103,7 +103,6 @@ <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><?php echo $list[$i]['comment_cnt']; ?><span class="sound_only">개</span><?php } ?> </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
theme/basic/skin/board/basic/list.skin.php+0 −1 modified@@ -114,7 +114,6 @@ </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_file'])) echo rtrim($list[$i]['icon_file']); if (isset($list[$i]['icon_link'])) echo rtrim($list[$i]['icon_link']);
theme/basic/skin/board/gallery/list.skin.php+0 −1 modified@@ -117,7 +117,6 @@ <?php echo $list[$i]['subject'] ?> <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><span class="cnt_cmt">+ <?php echo $list[$i]['wr_comment']; ?></span><span class="sound_only">개</span><?php } ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo rtrim($list[$i]['icon_new']);
12 files changed · +26 −13
adm/boardgroup_form.php+1 −1 modified@@ -12,7 +12,7 @@ if ($w == '') { $gr_id_attr = 'required'; $sound_only = '<strong class="sound_only"> 필수</strong>'; - $gr['gr_use_access'] = 0; + $gr = array('gr_use_access' => 0); $html_title .= ' 생성'; } else if ($w == 'u') { $gr_id_attr = 'readonly';
adm/boardgroup_form_update.php+3 −1 modified@@ -16,7 +16,9 @@ if (!$gr_subject) alert('그룹 제목을 입력하세요.'); -$sql_common = " gr_subject = '{$_POST['gr_subject']}', +$gr_subject = isset($_POST['gr_subject']) ? strip_tags($_POST['gr_subject']) : ''; + +$sql_common = " gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device']}', gr_admin = '{$_POST['gr_admin']}', gr_1_subj = '{$_POST['gr_1_subj']}',
adm/boardgroup_list_update.php+2 −1 modified@@ -19,10 +19,11 @@ { $k = $_POST['chk'][$i]; $gr_id = $_POST['group_id'][$k]; + $gr_subject = strip_tags($_POST['gr_subject'][$k]); if($_POST['act_button'] == '선택수정') { $sql = " update {$g5['group_table']} - set gr_subject = '{$_POST['gr_subject'][$k]}', + set gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device'][$k]}', gr_admin = '{$_POST['gr_admin'][$k]}', gr_use_access = '{$_POST['gr_use_access'][$k]}',
adm/contentform.php+5 −3 modified@@ -49,9 +49,11 @@ else { $html_title .= ' 입력'; - $co['co_html'] = 2; - $co['co_skin'] = 'basic'; - $co['co_mobile_skin'] = 'basic'; + $co = array( + 'co_html' => 2, + 'co_skin' => 'basic', + 'co_mobile_skin' => 'basic' + ); } include_once (G5_ADMIN_PATH.'/admin.head.php');
adm/contentformupdate.php+1 −0 modified@@ -20,6 +20,7 @@ $co_row = sql_fetch($sql); } +$co_subject = strip_tags($co_subject); $co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255)); $co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
adm/faqmasterform.php+1 −0 modified@@ -21,6 +21,7 @@ else { $html_title .= ' 입력'; + $fm = array(); } $g5['title'] = $html_title.' 관리';
adm/faqmasterformupdate.php+2 −0 modified@@ -18,6 +18,8 @@ if ($fm_himg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_h"); if ($fm_timg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_t"); +$fm_subject = strip_tags($fm_subject); + $sql_common = " set fm_subject = '$fm_subject', fm_head_html = '$fm_head_html', fm_tail_html = '$fm_tail_html',
adm/newwinform.php+1 −1 modified@@ -109,7 +109,7 @@ <tr> <th scope="row"><label for="nw_subject">팝업 제목<strong class="sound_only"> 필수</strong></label></th> <td> - <input type="text" name="nw_subject" value="<?php echo stripslashes($nw['nw_subject']) ?>" id="nw_subject" required class="frm_input required" size="80"> + <input type="text" name="nw_subject" value="<?php echo get_sanitize_input($nw['nw_subject']); ?>" id="nw_subject" required class="frm_input required" size="80"> </td> </tr> <tr>
adm/newwinformupdate.php+3 −1 modified@@ -12,6 +12,8 @@ check_admin_token(); +$nw_subject = isset($_POST['nw_subject']) ? strip_tags($_POST['nw_subject']) : ''; + $sql_common = " nw_device = '{$_POST['nw_device']}', nw_begin_time = '{$_POST['nw_begin_time']}', nw_end_time = '{$_POST['nw_end_time']}', @@ -20,7 +22,7 @@ nw_top = '{$_POST['nw_top']}', nw_height = '{$_POST['nw_height']}', nw_width = '{$_POST['nw_width']}', - nw_subject = '{$_POST['nw_subject']}', + nw_subject = '{$nw_subject}', nw_content = '{$_POST['nw_content']}', nw_content_html = '{$_POST['nw_content_html']}' ";
adm/point_update.php+3 −3 modified@@ -6,9 +6,9 @@ check_admin_token(); -$mb_id = $_POST['mb_id']; -$po_point = $_POST['po_point']; -$po_content = $_POST['po_content']; +$mb_id = strip_tags($_POST['mb_id']); +$po_point = strip_tags($_POST['po_point']); +$po_content = strip_tags($_POST['po_content']); $expire = preg_replace('/[^0-9]/', '', $_POST['po_expire_term']); $mb = get_member($mb_id);
adm/sms_admin/num_book_update.php+2 −0 modified@@ -21,6 +21,8 @@ if (!strlen(trim($bk_name))) alert('이름을 입력해주세요'); + $bk_name = strip_tags($bk_name); + if ($bk_hp == '') alert('휴대폰번호만 입력 가능합니다.'); /*
adm/sms_admin/num_book_write.php+2 −2 modified@@ -30,7 +30,7 @@ $g5['title'] .= '수정'; } else { - $write['bg_no'] = $bg_no; + $write = array('bg_no' => (int) $bg_no); $g5['title'] .= '추가'; } @@ -74,7 +74,7 @@ </tr> <tr> <th scope="row"><label for="bk_name">이름<strong class="sound_only"> 필수</strong></label></th> - <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo $write['bk_name']?>" required class="frm_input required"></td> + <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo get_sanitize_input($write['bk_name']); ?>" required class="frm_input required"></td> </tr> <tr> <th scope="row"><label for="bk_hp">휴대폰번호<strong class="sound_only"> 필수</strong></label></th>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/gnuboard/gnuboard5/commit/b1fc952c7600b825c4b02e2789ddafdea18c8d13mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.