diff --git a/AvocadoEdition_Light/adm/admin.lib.php b/AvocadoEdition_Light/adm/admin.lib.php index 9a3a723..dfda8d0 100644 --- a/AvocadoEdition_Light/adm/admin.lib.php +++ b/AvocadoEdition_Light/adm/admin.lib.php @@ -419,6 +419,28 @@ function admin_referer_check($return = false) } } +function admin_check_xss_params($params) +{ + + if (!$params) + return; + + foreach ($params as $key => $value) { + + if (empty($value)) + continue; + + if (is_array($value)) { + admin_check_xss_params($value); + } else if (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) { + alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.'); + die(); + } + } + + return; +} + // 접근 권한 검사 if (!$member['mb_id']) { goto_url(G5_BBS_URL . '/login.php?url=' . urlencode(G5_ADMIN_URL)); @@ -480,6 +502,12 @@ if (isset($page)) $arr_query[] = 'page=' . $page; $qstr = implode("&", $arr_query); +if (isset($_REQUEST) && $_REQUEST) { + if (admin_referer_check(true)) { + admin_check_xss_params($_REQUEST); + } +} + if (run_replace('safe_admin_add_script_boolean', false) === false) { $config['cf_analytics'] = ''; $config['cf_add_script'] = ''; diff --git a/AvocadoEdition_Light/skin/member/basic/login.skin.php b/AvocadoEdition_Light/skin/member/basic/login.skin.php index 53e1d1d..b293d48 100644 --- a/AvocadoEdition_Light/skin/member/basic/login.skin.php +++ b/AvocadoEdition_Light/skin/member/basic/login.skin.php @@ -8,19 +8,15 @@ add_stylesheet('', 0); /*********** Logo Data ************/ -$logo = get_logo('pc'); -$m_logo = get_logo('mo'); +$logo = get_logo(); +$m_logo = get_logo(); $logo_data = ""; if($logo) $logo_data .= ""; /*********************************/ ?> - - -
- @@ -45,8 +41,6 @@ if($logo) $logo_data .= "";
- -