Unrated severityOSV Advisory· Published Mar 27, 2019· Updated Aug 5, 2024
CVE-2018-15585
CVE-2018-15585
Description
Cross-Site Scripting (XSS) vulnerability in newwinform.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.
Affected products
1Patches
25be739934b3cMerge branch 'master' of github.com:gnuboard/g5
36 files changed · +88 −63
adm/board_form_update.php+9 −9 modified@@ -14,19 +14,19 @@ if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); } if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); } -$_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255)); -$_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255)); +$bo_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_head, 0, 255)); +$bo_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_tail, 0, 255)); // 관리자가 자동등록방지를 사용해야 할 경우 -if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if ($board && ($board['bo_include_head'] !== $bo_include_head || $board['bo_include_tail'] !== $bo_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) { alert('자동등록방지 숫자가 틀렸습니다.'); } } -if ($file = $_POST['bo_include_head']) { +if ($file = $bo_include_head) { $file_ext = pathinfo($file, PATHINFO_EXTENSION); if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) { @@ -35,7 +35,7 @@ $_POST['bo_include_head'] = $file; } -if ($file = $_POST['bo_include_tail']) { +if ($file = $bo_include_tail) { $file_ext = pathinfo($file, PATHINFO_EXTENSION); if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) { @@ -44,11 +44,11 @@ $_POST['bo_include_tail'] = $file; } -if(!is_include_path_check($_POST['bo_include_head'], 1)) { +if(!is_include_path_check($bo_include_head, 1)) { alert('상단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } -if(!is_include_path_check($_POST['bo_include_tail'], 1)) { +if(!is_include_path_check($bo_include_tail, 1)) { alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } @@ -125,8 +125,8 @@ // 최고 관리자인 경우에만 수정가능 if ($is_admin === 'super'){ -$sql_common .= " bo_include_head = '{$_POST['bo_include_head']}', - bo_include_tail = '{$_POST['bo_include_tail']}', +$sql_common .= " bo_include_head = '".$bo_include_head."', + bo_include_tail = '".$bo_include_tail."', bo_content_head = '{$_POST['bo_content_head']}', bo_content_tail = '{$_POST['bo_content_tail']}', bo_mobile_content_head = '{$_POST['bo_mobile_content_head']}',
adm/boardgroup_form.php+1 −1 modified@@ -12,7 +12,7 @@ if ($w == '') { $gr_id_attr = 'required'; $sound_only = '<strong class="sound_only"> 필수</strong>'; - $gr['gr_use_access'] = 0; + $gr = array('gr_use_access' => 0); $html_title .= ' 생성'; } else if ($w == 'u') { $gr_id_attr = 'readonly';
adm/boardgroup_form_update.php+3 −1 modified@@ -16,7 +16,9 @@ if (!$gr_subject) alert('그룹 제목을 입력하세요.'); -$sql_common = " gr_subject = '{$_POST['gr_subject']}', +$gr_subject = isset($_POST['gr_subject']) ? strip_tags($_POST['gr_subject']) : ''; + +$sql_common = " gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device']}', gr_admin = '{$_POST['gr_admin']}', gr_1_subj = '{$_POST['gr_1_subj']}',
adm/boardgroup_list_update.php+2 −1 modified@@ -19,10 +19,11 @@ { $k = $_POST['chk'][$i]; $gr_id = $_POST['group_id'][$k]; + $gr_subject = strip_tags($_POST['gr_subject'][$k]); if($_POST['act_button'] == '선택수정') { $sql = " update {$g5['group_table']} - set gr_subject = '{$_POST['gr_subject'][$k]}', + set gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device'][$k]}', gr_admin = '{$_POST['gr_admin'][$k]}', gr_use_access = '{$_POST['gr_use_access'][$k]}',
adm/contentform.php+5 −3 modified@@ -49,9 +49,11 @@ else { $html_title .= ' 입력'; - $co['co_html'] = 2; - $co['co_skin'] = 'basic'; - $co['co_mobile_skin'] = 'basic'; + $co = array( + 'co_html' => 2, + 'co_skin' => 'basic', + 'co_mobile_skin' => 'basic' + ); } include_once (G5_ADMIN_PATH.'/admin.head.php');
adm/contentformupdate.php+5 −1 modified@@ -20,8 +20,12 @@ $co_row = sql_fetch($sql); } +$co_subject = strip_tags($co_subject); +$co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255)); +$co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255)); + // 관리자가 자동등록방지를 사용해야 할 경우 -if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if (($co_row['co_include_head'] !== $co_include_head || $co_row['co_include_tail'] !== $co_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) {
adm/faqmasterform.php+1 −0 modified@@ -21,6 +21,7 @@ else { $html_title .= ' 입력'; + $fm = array(); } $g5['title'] = $html_title.' 관리';
adm/faqmasterformupdate.php+2 −0 modified@@ -18,6 +18,8 @@ if ($fm_himg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_h"); if ($fm_timg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_t"); +$fm_subject = strip_tags($fm_subject); + $sql_common = " set fm_subject = '$fm_subject', fm_head_html = '$fm_head_html', fm_tail_html = '$fm_tail_html',
adm/newwinform.php+1 −1 modified@@ -109,7 +109,7 @@ <tr> <th scope="row"><label for="nw_subject">팝업 제목<strong class="sound_only"> 필수</strong></label></th> <td> - <input type="text" name="nw_subject" value="<?php echo stripslashes($nw['nw_subject']) ?>" id="nw_subject" required class="frm_input required" size="80"> + <input type="text" name="nw_subject" value="<?php echo get_sanitize_input($nw['nw_subject']); ?>" id="nw_subject" required class="frm_input required" size="80"> </td> </tr> <tr>
adm/newwinformupdate.php+3 −1 modified@@ -12,6 +12,8 @@ check_admin_token(); +$nw_subject = isset($_POST['nw_subject']) ? strip_tags($_POST['nw_subject']) : ''; + $sql_common = " nw_device = '{$_POST['nw_device']}', nw_begin_time = '{$_POST['nw_begin_time']}', nw_end_time = '{$_POST['nw_end_time']}', @@ -20,7 +22,7 @@ nw_top = '{$_POST['nw_top']}', nw_height = '{$_POST['nw_height']}', nw_width = '{$_POST['nw_width']}', - nw_subject = '{$_POST['nw_subject']}', + nw_subject = '{$nw_subject}', nw_content = '{$_POST['nw_content']}', nw_content_html = '{$_POST['nw_content_html']}' ";
adm/point_update.php+3 −3 modified@@ -6,9 +6,9 @@ check_admin_token(); -$mb_id = $_POST['mb_id']; -$po_point = $_POST['po_point']; -$po_content = $_POST['po_content']; +$mb_id = strip_tags($_POST['mb_id']); +$po_point = strip_tags($_POST['po_point']); +$po_content = strip_tags($_POST['po_content']); $expire = preg_replace('/[^0-9]/', '', $_POST['po_expire_term']); $mb = get_member($mb_id);
adm/qa_config_update.php+4 −1 modified@@ -12,8 +12,11 @@ $qaconfig = get_qa_config(); +$qa_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_head, 0, 255)); +$qa_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_tail, 0, 255)); + // 관리자가 자동등록방지를 사용해야 할 경우 -if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if ($board && ($qaconfig['qa_include_head'] !== $qa_include_head || $qaconfig['qa_include_tail'] !== $qa_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) {
adm/sms_admin/history_num.php+1 −1 modified@@ -27,7 +27,7 @@ include_once(G5_ADMIN_PATH.'/admin.head.php'); ?> -<form name="search_form" method="get" action="<?echo $_SERVER['SCRIPT_NAME']?>" class="local_sch01 local_sch" > +<form name="search_form" method="get" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" class="local_sch01 local_sch" > <label for="st" class="sound_only">검색대상</label> <select name="st" id="st"> <option value="hs_name"<?php echo get_selected('hs_name', $st); ?>>이름</option>
adm/sms_admin/num_book_update.php+2 −0 modified@@ -21,6 +21,8 @@ if (!strlen(trim($bk_name))) alert('이름을 입력해주세요'); + $bk_name = strip_tags($bk_name); + if ($bk_hp == '') alert('휴대폰번호만 입력 가능합니다.'); /*
adm/sms_admin/num_book_write.php+6 −8 modified@@ -30,7 +30,7 @@ $g5['title'] .= '수정'; } else { - $write['bg_no'] = $bg_no; + $write = array('bg_no' => (int) $bg_no); $g5['title'] .= '추가'; } @@ -43,12 +43,12 @@ ?> <form name="book_form" id="book_form" method="post" action="./num_book_update.php"> -<input type="hidden" name="w" value="<?php echo $w?>"> -<input type="hidden" name="page" value="<?php echo $page?>"> -<input type="hidden" name="ap" value="<?php echo $ap?>"> +<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>"> +<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>"> +<input type="hidden" name="ap" value="<?php echo get_sanitize_input($ap); ?>"> <input type="hidden" name="bk_no" value="<?php echo $write['bk_no']?>"> <input type="hidden" name="mb_id" id="mb_id" value="<?php echo $write['mb_id']?>"> -<input type="hidden" name="get_bg_no" value="<?php echo $bg_no?>"> +<input type="hidden" name="get_bg_no" value="<?php echo get_sanitize_input($bg_no); ?>"> <div class="tbl_frm01 tbl_wrap"> <table> @@ -74,7 +74,7 @@ </tr> <tr> <th scope="row"><label for="bk_name">이름<strong class="sound_only"> 필수</strong></label></th> - <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo $write['bk_name']?>" required class="frm_input required"></td> + <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo get_sanitize_input($write['bk_name']); ?>" required class="frm_input required"></td> </tr> <tr> <th scope="row"><label for="bk_hp">휴대폰번호<strong class="sound_only"> 필수</strong></label></th> @@ -187,14 +187,12 @@ function book_submit(){ if($check_msg.size()> 0) $check_msg.remove(); -// $("#exist_msg").text("<?php echo $exist_msg_2; ?>"); is_submit = true; } else { if($check_msg.size() < 1) $("input#bk_hp").after("<div id=\"hp_check_el\"><h3>이 번호를 쓰는 회원 정보</h3><ul></ul></div>"); $("#hp_check_el").find("ul").html( list_text ); -// $("#exist_msg").html("<?php echo $exist_msg_1 ?>"); if(confirm("회원 정보에 중복 휴대폰 번호가 있습니다.수정하실 경우 회원정보에 반영되지 않습니다.\n수정하시겠습니까?")) is_submit = true;
bbs/formmail_send.php+3 −4 modified@@ -12,14 +12,13 @@ $email_enc = new str_encrypt(); $to = $email_enc->decrypt($to); -if (substr_count($to, "@") > 1) - alert_close('한번에 한사람에게만 메일을 발송할 수 있습니다.'); - - if (!chk_captcha()) { alert('자동등록방지 숫자가 틀렸습니다.'); } +if (!preg_match("/([0-9a-zA-Z_-]+)@([0-9a-zA-Z_-]+)\.([0-9a-zA-Z_-]+)/", $to)){ + alert_close('E-mail 주소가 형식에 맞지 않아서, 메일을 보낼수 없습니다.'); +} $file = array(); for ($i=1; $i<=$attach; $i++) {
bbs/login_check.php+1 −1 modified@@ -72,7 +72,7 @@ // 3.27 // 자동로그인 --------------------------- // 쿠키 한달간 저장 - $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $mb['mb_password']); + $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['SERVER_SOFTWARE'] . $_SERVER['HTTP_USER_AGENT'] . $mb['mb_password']); set_cookie('ck_mb_id', $mb['mb_id'], 86400 * 31); set_cookie('ck_auto', $key, 86400 * 31); // 자동로그인 end ---------------------------
bbs/member_confirm.php+4 −0 modified@@ -24,6 +24,10 @@ // url 체크 check_url_host($url, '', G5_URL, true); +if( preg_match('#^/{3,}#', $url) ){ + $url = preg_replace('#^/{3,}#', '/', $url); +} + $url = get_text($url); include_once($member_skin_path.'/member_confirm.skin.php');
common.php+2 −1 modified@@ -374,7 +374,7 @@ function sql_escape_string($str) $sql = " select mb_password, mb_intercept_date, mb_leave_date, mb_email_certify from {$g5['member_table']} where mb_id = '{$tmp_mb_id}' "; $row = sql_fetch($sql); if($row['mb_password']){ - $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $row['mb_password']); + $key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['SERVER_SOFTWARE'] . $_SERVER['HTTP_USER_AGENT'] . $row['mb_password']); // 쿠키에 저장된 키와 같다면 $tmp_key = get_cookie('ck_auto'); if ($tmp_key === $key && $tmp_key) { @@ -621,6 +621,7 @@ function sql_escape_string($str) foreach($extend_file as $file) { include_once(G5_EXTEND_PATH.'/'.$file); } + unset($file); } unset($extend_file);
config.php+1 −1 modified@@ -5,7 +5,7 @@ ********************/ define('G5_VERSION', '그누보드5'); -define('G5_GNUBOARD_VER', '5.3.1.5'); +define('G5_GNUBOARD_VER', '5.3.1.6'); // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 define('_GNUBOARD_', true);
js/kakaolink.js+16 −6 modified@@ -1,10 +1,20 @@ -function kakaolink_send(text, url) +function kakaolink_send(text, url, image) { + if( image === undefined ){ + image = ''; + } + // 카카오톡 링크 버튼을 생성합니다. 처음 한번만 호출하면 됩니다. - Kakao.Link.sendTalkLink({ - webLink : { - text: String(text), - url: url // 앱 설정의 웹 플랫폼에 등록한 도메인의 URL이어야 합니다. - } + Kakao.Link.sendDefault({ + objectType: 'feed', + content: { + title: String(text), + description: url, + imageUrl: image, + link: { + mobileWebUrl: url, + webUrl: url // 앱 설정의 웹 플랫폼에 등록한 도메인의 URL이어야 합니다. + } + } }); } \ No newline at end of file
lib/common.lib.php+5 −5 modified@@ -3269,7 +3269,7 @@ class str_encrypt function __construct($salt='') { if(!$salt) - $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), G5_MYSQL_PASSWORD)); + $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), $_SERVER['SERVER_SOFTWARE'].$_SERVER['DOCUMENT_ROOT'])); else $this->salt = $salt; @@ -3288,12 +3288,12 @@ function encrypt($str) $result .= $char; } - return base64_encode($result); + return strtr(base64_encode($result) , '+/=', '._-'); } function decrypt($str) { $result = ''; - $str = base64_decode($str); + $str = base64_decode(strtr($str, '._-', '+/=')); $length = strlen($str); for($i=0; $i<$length; $i++) { @@ -3438,7 +3438,7 @@ function is_include_path_check($path='', $is_input='') if( $path ){ if ($is_input){ - if( stripos($path, 'php://') !== false || stripos($path, 'zlib://') !== false || stripos($path, 'bzip2://') !== false || stripos($path, 'zip://') !== false || stripos($path, 'data:text/') !== false || stripos($path, 'data://') !== false ){ + if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){ return false; } @@ -3478,7 +3478,7 @@ function is_include_path_check($path='', $is_input='') return false; } - if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $path) ){ + if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){ return false; } }
mobile/skin/board/basic/list.skin.php+0 −1 modified@@ -76,7 +76,6 @@ <?php if ($list[$i]['is_notice']) { ?><strong class="notice_icon"><i class="fa fa-volume-up" aria-hidden="true"></i>공지</strong><?php } ?> <?php echo $list[$i]['subject'] ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
mobile/skin/board/basic/view.skin.php+1 −1 modified@@ -153,7 +153,7 @@ </section> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
mobile/skin/board/gallery/list.skin.php+0 −1 modified@@ -103,7 +103,6 @@ <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><?php echo $list[$i]['comment_cnt']; ?><span class="sound_only">개</span><?php } ?> </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
mobile/skin/board/gallery/view.skin.php+1 −1 modified@@ -153,7 +153,7 @@ </section> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
plugin/htmlpurifier/safeiframe.txt+3 −1 modified@@ -9,4 +9,6 @@ play.afreeca.com/ v.nate.com/ www.microsoft.com/showcase/video.aspx/ w.soundcloud.com/ -www.facebook.com/ \ No newline at end of file +www.facebook.com/ +kakaotv.daum.net/ +v.afree.ca/ \ No newline at end of file
plugin/sns/view.sns.skin.php+1 −1 modified@@ -23,7 +23,7 @@ ?> <?php if(G5_IS_MOBILE && $config['cf_kakao_js_apikey']) { ?> -<script src="https://developers.kakao.com/sdk/js/kakao.min.js"></script> +<script src="//developers.kakao.com/sdk/js/kakao.min.js"></script> <script src="<?php echo G5_JS_URL; ?>/kakaolink.js"></script> <script> // 사용할 앱의 Javascript 키를 설정해 주세요.
skin/board/basic/list.skin.php+0 −1 modified@@ -114,7 +114,6 @@ </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_file'])) echo rtrim($list[$i]['icon_file']); if (isset($list[$i]['icon_link'])) echo rtrim($list[$i]['icon_link']);
skin/board/basic/view.skin.php+1 −1 modified@@ -135,7 +135,7 @@ <!-- } 첨부파일 끝 --> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
skin/board/gallery/list.skin.php+0 −1 modified@@ -117,7 +117,6 @@ <?php echo $list[$i]['subject'] ?> <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><span class="cnt_cmt">+ <?php echo $list[$i]['wr_comment']; ?></span><span class="sound_only">개</span><?php } ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo rtrim($list[$i]['icon_new']);
skin/board/gallery/view.skin.php+1 −1 modified@@ -135,7 +135,7 @@ <!-- } 첨부파일 끝 --> <?php } ?> - <?php if(isset($view['link'][1]) && $view['link'][1]) { ?> + <?php if(array_filter($view['link'])) { ?> <!-- 관련링크 시작 { --> <section id="bo_v_link"> <h2>관련링크</h2>
theme/basic/mobile/skin/board/basic/list.skin.php+0 −1 modified@@ -76,7 +76,6 @@ <?php if ($list[$i]['is_notice']) { ?><strong class="notice_icon"><i class="fa fa-volume-up" aria-hidden="true"></i>공지</strong><?php } ?> <?php echo $list[$i]['subject'] ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
theme/basic/mobile/skin/board/gallery/list.skin.php+0 −1 modified@@ -103,7 +103,6 @@ <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><?php echo $list[$i]['comment_cnt']; ?><span class="sound_only">개</span><?php } ?> </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo $list[$i]['icon_new'];
theme/basic/skin/board/basic/list.skin.php+0 −1 modified@@ -114,7 +114,6 @@ </a> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_file'])) echo rtrim($list[$i]['icon_file']); if (isset($list[$i]['icon_link'])) echo rtrim($list[$i]['icon_link']);
theme/basic/skin/board/gallery/list.skin.php+0 −1 modified@@ -117,7 +117,6 @@ <?php echo $list[$i]['subject'] ?> <?php if ($list[$i]['comment_cnt']) { ?><span class="sound_only">댓글</span><span class="cnt_cmt">+ <?php echo $list[$i]['wr_comment']; ?></span><span class="sound_only">개</span><?php } ?> <?php - // if ($list[$i]['link']['count']) { echo '['.$list[$i]['link']['count']}.']'; } // if ($list[$i]['file']['count']) { echo '<'.$list[$i]['file']['count'].'>'; } if (isset($list[$i]['icon_new'])) echo rtrim($list[$i]['icon_new']);
12 files changed · +26 −13
adm/boardgroup_form.php+1 −1 modified@@ -12,7 +12,7 @@ if ($w == '') { $gr_id_attr = 'required'; $sound_only = '<strong class="sound_only"> 필수</strong>'; - $gr['gr_use_access'] = 0; + $gr = array('gr_use_access' => 0); $html_title .= ' 생성'; } else if ($w == 'u') { $gr_id_attr = 'readonly';
adm/boardgroup_form_update.php+3 −1 modified@@ -16,7 +16,9 @@ if (!$gr_subject) alert('그룹 제목을 입력하세요.'); -$sql_common = " gr_subject = '{$_POST['gr_subject']}', +$gr_subject = isset($_POST['gr_subject']) ? strip_tags($_POST['gr_subject']) : ''; + +$sql_common = " gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device']}', gr_admin = '{$_POST['gr_admin']}', gr_1_subj = '{$_POST['gr_1_subj']}',
adm/boardgroup_list_update.php+2 −1 modified@@ -19,10 +19,11 @@ { $k = $_POST['chk'][$i]; $gr_id = $_POST['group_id'][$k]; + $gr_subject = strip_tags($_POST['gr_subject'][$k]); if($_POST['act_button'] == '선택수정') { $sql = " update {$g5['group_table']} - set gr_subject = '{$_POST['gr_subject'][$k]}', + set gr_subject = '{$gr_subject}', gr_device = '{$_POST['gr_device'][$k]}', gr_admin = '{$_POST['gr_admin'][$k]}', gr_use_access = '{$_POST['gr_use_access'][$k]}',
adm/contentform.php+5 −3 modified@@ -49,9 +49,11 @@ else { $html_title .= ' 입력'; - $co['co_html'] = 2; - $co['co_skin'] = 'basic'; - $co['co_mobile_skin'] = 'basic'; + $co = array( + 'co_html' => 2, + 'co_skin' => 'basic', + 'co_mobile_skin' => 'basic' + ); } include_once (G5_ADMIN_PATH.'/admin.head.php');
adm/contentformupdate.php+1 −0 modified@@ -20,6 +20,7 @@ $co_row = sql_fetch($sql); } +$co_subject = strip_tags($co_subject); $co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255)); $co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
adm/faqmasterform.php+1 −0 modified@@ -21,6 +21,7 @@ else { $html_title .= ' 입력'; + $fm = array(); } $g5['title'] = $html_title.' 관리';
adm/faqmasterformupdate.php+2 −0 modified@@ -18,6 +18,8 @@ if ($fm_himg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_h"); if ($fm_timg_del) @unlink(G5_DATA_PATH."/faq/{$fm_id}_t"); +$fm_subject = strip_tags($fm_subject); + $sql_common = " set fm_subject = '$fm_subject', fm_head_html = '$fm_head_html', fm_tail_html = '$fm_tail_html',
adm/newwinform.php+1 −1 modified@@ -109,7 +109,7 @@ <tr> <th scope="row"><label for="nw_subject">팝업 제목<strong class="sound_only"> 필수</strong></label></th> <td> - <input type="text" name="nw_subject" value="<?php echo stripslashes($nw['nw_subject']) ?>" id="nw_subject" required class="frm_input required" size="80"> + <input type="text" name="nw_subject" value="<?php echo get_sanitize_input($nw['nw_subject']); ?>" id="nw_subject" required class="frm_input required" size="80"> </td> </tr> <tr>
adm/newwinformupdate.php+3 −1 modified@@ -12,6 +12,8 @@ check_admin_token(); +$nw_subject = isset($_POST['nw_subject']) ? strip_tags($_POST['nw_subject']) : ''; + $sql_common = " nw_device = '{$_POST['nw_device']}', nw_begin_time = '{$_POST['nw_begin_time']}', nw_end_time = '{$_POST['nw_end_time']}', @@ -20,7 +22,7 @@ nw_top = '{$_POST['nw_top']}', nw_height = '{$_POST['nw_height']}', nw_width = '{$_POST['nw_width']}', - nw_subject = '{$_POST['nw_subject']}', + nw_subject = '{$nw_subject}', nw_content = '{$_POST['nw_content']}', nw_content_html = '{$_POST['nw_content_html']}' ";
adm/point_update.php+3 −3 modified@@ -6,9 +6,9 @@ check_admin_token(); -$mb_id = $_POST['mb_id']; -$po_point = $_POST['po_point']; -$po_content = $_POST['po_content']; +$mb_id = strip_tags($_POST['mb_id']); +$po_point = strip_tags($_POST['po_point']); +$po_content = strip_tags($_POST['po_content']); $expire = preg_replace('/[^0-9]/', '', $_POST['po_expire_term']); $mb = get_member($mb_id);
adm/sms_admin/num_book_update.php+2 −0 modified@@ -21,6 +21,8 @@ if (!strlen(trim($bk_name))) alert('이름을 입력해주세요'); + $bk_name = strip_tags($bk_name); + if ($bk_hp == '') alert('휴대폰번호만 입력 가능합니다.'); /*
adm/sms_admin/num_book_write.php+2 −2 modified@@ -30,7 +30,7 @@ $g5['title'] .= '수정'; } else { - $write['bg_no'] = $bg_no; + $write = array('bg_no' => (int) $bg_no); $g5['title'] .= '추가'; } @@ -74,7 +74,7 @@ </tr> <tr> <th scope="row"><label for="bk_name">이름<strong class="sound_only"> 필수</strong></label></th> - <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo $write['bk_name']?>" required class="frm_input required"></td> + <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo get_sanitize_input($write['bk_name']); ?>" required class="frm_input required"></td> </tr> <tr> <th scope="row"><label for="bk_hp">휴대폰번호<strong class="sound_only"> 필수</strong></label></th>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/gnuboard/gnuboard5/blob/b1fc952c7600b825c4b02e2789ddafdea18c8d13/adm/newwinform.phpmitrex_refsource_MISC
- github.com/gnuboard/gnuboard5/blob/b1fc952c7600b825c4b02e2789ddafdea18c8d13/adm/newwinformupdate.phpmitrex_refsource_MISC
- github.com/gnuboard/gnuboard5/commit/b1fc952c7600b825c4b02e2789ddafdea18c8d13mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.