°¡ÀÔÇϽŠ¼­ºñ½º·Î ·Î±×ÀÎÇϼ¼¿ä
Home > °øÁö»çÇ×

 ÀÛ¼ºÀÚ °ü¸®ÀÚ  ÀÛ¼ºÀÏ 2010-03-19  Á¶È¸¼ö 1,288
 Á¦   ¸ñ [°øÁö] Á¦·Îº¸µå 4 °Ô½ÃÆÇ   ÆÐÄ¡ ¾È³»
 ³»   ¿ë ¾È³çÇϽʴϱî?

ÅëÇÕLGÅÚ·¹ÄÞ È£½ºÆà ´ã´çÀÚ ÀÔ´Ï´Ù.

Á¦·Îº¸µå4 °Ô½ÃÆÇ¿¡¼­ »ç¿ëÀÚ ÀÔ·Â º¯¼ö °ËÁõÀ» ÇÏÁö ¾Ê¾Æ ¹ß»ýÇÏ´Â º¸¾È Ãë¾àÁ¡ÀÌ ¹ß°ßµÇ¾ú½À´Ï´Ù.
ÀÌ º¸¾È Ãë¾àÁ¡Àº CSRF¶ó°í ÇÏ´Â °ü¸®ÀÚ ±ÇÇÑÀ» ¿ìȸÇÏ¿© ½ÇÇàÇÏ°Ô ÇÏ¿© ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ´Â ¸Å¿ì Ä¡¸íÀûÀÎ °ÍÀÌ´Ï
Á¦·Îº¸µå 4¸¦ »ç¿ëÇϽô °í°´²²¼­´Â ¾Æ·¡ °ü·Ã³»¿ëÀ» ÂüÁ¶ÇÏ½Ã¾î º¸¾ÈÆÐÄ¡¸¦ ÇØ Áֽñ⠹ٶø´Ï´Ù.

°í°´´Ô²²¼­ ¹Ìó ÆÐÄ¡ÇÏÁö ¸øÇÑ »çÇ׿¡ ´ëÇؼ­´Â ÅëÇÕLGÅÚ·¹ÄÞ È£½ºÆÿ¡¼­ 4¿ù 1ÀÏ ÀÌÈÄ,
ÆÐÄ¡µÇÁö ¾ÊÀº ¹öÀü¿¡ ´ëÇؼ­ ÀÏ°ý ÆÐÄ¡ ÇÒ ¿¹Á¤ÀÌ¿À´Ï ¾÷¹«¿¡ Âü°íÇϽñ⠹ٶø´Ï´Ù.


1. Á¦·Îº¸µå4 °ü¸®ÀÚ ¼¼¼ÇÀ» ÀÌ¿ëÇÑ CSRF °ø°Ý ´ëÀÀ

¡à °³¿ä
o ÃÖ±Ù ±¹³» PHP ±â¹ÝÀÇ °ø°³ À¥ °Ô½ÃÆÇ Á¦·Îº¸µå4¿¡ ´ëÇÑ CSRF °ü·Ã º¸¾È Ãë¾àÁ¡ÀÌ ¹ß°ßµÊ
o ÇØ´ç Ãë¾àÁ¡À» ÀÌ¿ëÇÑ È¨ÆäÀÌÁö º¯Á¶ ¹× ¿ø°Ý ½ÇÇà À§ÇùÀÌ ¹ß»ýÇÔ¿¡ µû¶ó, »ç¿ëÀÚÀÇ ÁÖÀÇ ¹× Á¶¼ÓÇÑ
ÆÐÄ¡°¡ ÇÊ¿äÇÔ

¡à ¿µÇâ
o ¿ø°ÝÀÇ »ç¿ëÀÚ°¡ Á¦·Îº¸µå4 °ü¸®ÀÚ ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖÀ½
o ȹµæÇÑ °ü¸®ÀÚ ±ÇÇÑÀ» ÀÌ¿ëÇÏ¿© ½Ã½ºÅÛ ³»ÀÇ ÀÓÀÇÀÇ ÆÄÀÏ Àбâ, PHP ¸í·É½ÇÇà µîÀÌ °¡´ÉÇϸç,
À̸¦ ÀÌ¿ëÇÑ À¥ º¯Á¶, ¿ø°Ý ½ÇÇà µîÀÌ ¹ß»ýÇÒ ¼ö ÀÖÀ½

¡à ¿µÇâ ¹Þ´Â ½Ã½ºÅÛ
o Á¦·Îº¸µå4 ¸ðµç ¹öÀü

¡à ¼³¸í
o ¿ø°ÝÀÇ »ç¿ëÀÚ°¡ ½Ã½ºÅÛ ³»ÀÇ ÀÓÀÇÀÇ ÆÄÀÏÀ» Àаųª, ÀÓÀÇÀÇ php Äڵ带 ½ÇÇàÇÏ´Â °ÍÀÌ °¡´ÉÇÏ¿©
À̸¦ ÅëÇÑ À¥ º¯Á¶ µîÀÇ ÇØÅ·ÀÌ ¹ß»ý

¡à ÇØ°á¹æ¾È
o Á¦·Îº¸µå4¸¦ óÀ½ »ç¿ëÇÏ´Â °æ¿ì
- °ø½Ä»çÀÌÆ®(www.zeroboard.com)¿¡´Â Ãë¾àÁ¡ÀÌ º¸¿ÏµÈ admin_exec_member.php ¼³Ä¡
ÆÄÀÏÀ» ´Ù¿î·Îµå ¹Þ¾Æ ¼³Ä¡

o Á¦·Îº¸µå4¸¦ »ç¿ëÁßÀÎ °æ¿ì
- admin_exec_member.php ÆÄÀÏÀÇ 106¹ø° ÁÙ¿¡ ´ÙÀ½ ¾Æ·¡¿Í °°ÀÌ Ãß°¡
[ ¼Ò½º ¼öÁ¤]
if($_SERVER['REQUEST_METHOD']!='POST') die("ºñÁ¤»óÀûÀÎ Á¢±ÙÀ̶ó Â÷´ÜµË´Ï´Ù");


[Âü°í»çÀÌÆ®]
[1] http://www.xpressengine.com/zb4_security
[2] http://www.xpressengine.com/zb4_main
[3] http://www.xpressengine.com/18695228


2. _zb_path, dir º¯¼ö¿¡ ´ëÇØ À¥½© ¾øÀÌ Á÷Á¢ ¼­¹ö³» ÆÄÀÏÀ» ½ÇÇà ÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡

¡à °³¿ä
o ³»¿ë : _zb_path, dir º¯¼ö¿¡ ´ëÇØ À¥½© ¾øÀÌ Á÷Á¢ ¼­¹ö³» ÆÄÀÏÀ» ½ÇÇà ÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ ¹ß»ýº¸°í : Çѱ¹ ÀÎÅÍ³Ý ÁøÈï¿ø (http://www.kisa.or.kr)
o ´ë»ó : Á¦·Îº¸µå4 ¸ðµç ¹öÀü
o ºñ°í : php5.2 À̻󿡼­¸¸ ¹ß»ýÇÏ´Â Ãë¾àÁ¡°ú php ¹öÀü »ó°ü¾øÀÌ ¹ß»ýÇÏ´Â Ãë¾àÁ¡

¡à Ãë¾àÁ¡ º¸¿Ï
o ÆÐÄ¡ ÆÄÀÏ Àû¿ë : ÷ºÎµÈ patch.2009.02.22.zip(http://www.xpressengine.com/?module=file&act=procFileDownload&file_srl=18320633&sid=d2ba18653e1f33ef4141ec3297dd031a) ÆÄÀÏÀÇ ¾ÐÃàÀ» Ç®°í µ¤¾î¾²±â

o Á÷Á¢ ¼öÁ¤

- ´ë»ó ÆÄÀÏ

1._head.php
2.skin/zero_vote/ask_password.php
3.skin/zero_vote/error.php
4.skin/zero_vote/login.php
5.skin/zero_vote/setup.php

- ¼öÁ¤ ³»¿ë
o _head.php
[¼öÁ¤Àü]
if(eregi(":\/\/",$_zb_path)||eregi("\.\.",$_zb_path)) $_zb_path ="./";
[¼öÁ¤ÈÄ]
if(eregi(":\/\/",$_zb_path)||eregi("\.\.",$_zb_path)||eregi("^\/",$_zb_path)||eregi("data:;",$_zb_path)) $_zb_path ="./";

o skin/zero_vote/ ÆÄÀϵé
[¼öÁ¤Àü]
if(eregi(":\/\/",$dir)||eregi("\.\.",$dir)) $dir ="./";
[¼öÁ¤ÈÄ]
if(eregi(":\/\/",$dir)||eregi("\.\.",$dir)||eregi("^\/",$dir)||eregi("data:;",$dir)) $dir ="./";


¡à Âü°í»çÀÌÆ®
o http://www.xpressengine.com/zb4_security/18319857
 ÀÌÀü±Û  [°øÁö]À¥È£½ºÆà ¼­ºñ½ºÀÇ À¥¹æÈ­º® µµÀÔ¿¡ ´ëÇÑ ¾È³»
 ´ÙÀ½±Û  [°øÁö]Á¦·Îº¸µå XE ÆÐÄ¡ ¾È³»



¼­¿ïƯº°½Ã Áß±¸ ³²´ë¹®·Î 5°¡ 827¹øÁö | ´ëÇ¥ÀÌ»ç : ÀÌ»óö
»ç¾÷ÀÚ¹øÈ£ : 220-81-39938 | Åë½ÅÆǸž÷½Å°í : ¸¶Æ÷ 1043È£
°í°´¼¾ÅÍ : 1544-7078 | FAX : 6718-6777