|
Á¦·Îº¸µå ¼Ò½º º¯Á¶¿¡ ´ëÇÑ ¾È³» ¸»¾¸. | |
|
|
|
¾È³çÇϼ¼¿ä. ¸¶·çÀÎÅͳÝÀÔ´Ï´Ù. 12¿ù 18ÀÏ ÀÌÈÄ·Î Á¦·Îº¸µå Ãë¾à¼ºÀ¸·Î ÀÎÇÑ ÆÄÀÏ º¯Á¶°¡ ¹ß»ýÇÏ°í ÀÖ½À´Ï´Ù. ÇöÀç±îÁö ¹ß»ýÇÑ °æ¿ì¸¦ º¸¸é Á¦·Îº¸µåÀÇ ¹öÀüÀÌ pl8 ÀÌÇÏÀÎ °æ¿ì¿¡ ¹ß»ýÇÏ°í ÀÖ½À´Ï´Ù. Á¦·Îº¸µåÀÇ ¹öÀüÀº bbs Æú´õÀÇ lib.php ÆÄÀÏ¿¡¼ È®ÀÎÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù. _________________________________________________________________________ ¿øÀÎ : Á¦·Îº¸µå 4 °Ô½ÃÆÇÀÇ Ãë¾à¼ºÀ» ÀÌ¿ëÇÑ ÆÄÀÏ º¯Á¶ Áõ»ó : 1. bbs/icon Æú´õ¿¡ group_qazwsxedc.jpg ÆÄÀÏ°ú visitLog.php »ý¼º 2. °èÁ¤³» È®ÀåÀÚ°¡ html, php ÆÄÀϵ鿡 frame src="¾Ç¼ºÄÚµå ¹èÆ÷Áö URL »ðÀÔ (¿¹: http://h.nexprice.com/css/x.htm) * ÁÖ·Î bbs/Æú´õ³»ÀÇ ÆÄÀϵ鿡 ¼Ò½º°¡ »ðÀԵ˴ϴÙ. * °èÁ¤³» ÆÄÀϵ鿡 iframe »ðÀÔÀº ¾øÀ» ¼öµµ ÀÖ½À´Ï´Ù. 3. Á¦·Îº¸µå DB¿¡ zetyx_group_table »ý¼ºµÇ°í ÀÌ Å×À̺íÀÇ header ¶Ç´Â header_url ¿¡ À§ 2¹ø°ú µ¿ÀÏÇÑ ¾Ç¼ºÄÚµå ¹èÆ÷Áö URL »ý¼º. 2010³â 12¿ù 22ÀÏ RFI Ãë¾àÁ¡ º¸¾È ÆÐÄ¡ 1. bbs/icon Æú´õ¿¡ »ý¼ºµÈ group_qazwsxedc.jpg, visitLog.php ÆÄÀÏ »èÁ¦ 2. html, php ÆÄÀÏ¿¡ »ðÀÔµÈ iframe ¼Ò½º »èÁ¦ 3. °ü¸®ÀÚ ÆäÀÌÁö¸¦ ÅëÇØ qazwsxedc ±×·ì »èÁ¦ 4. Á¦·Îº¸µå¼³Ä¡Æú´õ/_head.php ÆÄÀÏÀÇ 13¹ø° ÁÙ ¼Ò½º º¯°æ(°ø½Ä º¸¾È ÆÐÄ¡ ÆäÀÌÁö Âü°í) 5. Á¦·Îº¸µå¼³Ä¡Æú´õ/skin/zero_vote/ask_password.php / error.php / login.php ÆÄÀÏÀÇ 2¹ø° ÁÙ ¼Ò½º °¢°¢ º¯°æ(°ø½Ä º¸¾È ÆÐÄ¡ ÆäÀÌÁö Âü°í) ¡Ø Á¦·Îº¸µå °ø½Ä º¸¾È ÆÐÄ¡ http://www.xpressengine.com/zb4_security/19346851 Á¦·Îº¸µå4 pl9 ¹öÀü¿¡¼ RFI (¿ø°ÝÆÄÀÏ ÀÎŬ·çµå) Ãë¾àÁ¡ÀÌ ¹ß°ßµÇ¾ú½À´Ï´Ù. Àå°æĨ´Ô²²¼ Á¦º¸ÇØÁֽŠ³»¿ëÀÔ´Ï´Ù. _head.php ÆÄÀÏ°ú skin/zero_vote/*.php ÆÄÀÏ¿¡ ´ëÇØ ¾Æ·¡ ³»¿ëÀ¸·Î ÄÚµå ¼öÁ¤À» ÅëÇÑ ÆÐÄ¡¸¦ ±Çµå¸³´Ï´Ù. _head.php [¼öÁ¤Àü] _head.php view sourceprint?13.if(eregi(":\/\/",$_zb_path)||eregi("\.\.",$_zb_path)||eregi("^\/",$_zb_path)||eregi("data:;",$_zb_path)) $_zb_path ="./"; [¼öÁ¤ÈÄ] _head.php: ¹®ÀÚ°¡ $_zb_path¿¡ Æ÷ÇÔµÇÁö ¾Êµµ·Ï ¼öÁ¤ view sourceprint?13.if(eregi(":\/\/",$_zb_path)||eregi("\.\.",$_zb_path)||eregi("^\/",$_zb_path)||eregi("data:;",$_zb_path)||eregi(":",$_zb_path)) $_zb_path ="./"; skin/zero_vote/ µð·ºÅ丮ÀÇ ¾Æ·¡¿¡ ÇØ´çµÇ´Â .php ÆÄÀÏ - ask_password.php - error.php - login.php [¼öÁ¤Àü] ./skin/zero_vote/ask_password.php, error.php, login.php view sourceprint?2.if(eregi(":\/\/",$dir)||eregi("\.\.",$dir)||eregi("^\/",$dir)||eregi("data:;",$dir)) $dir ="./"; [¼öÁ¤ÈÄ] ./skin/zero_vote/ask_password.php, error.php, login.php view sourceprint?2.if(eregi(":\/\/",$dir)||eregi("\.\.",$dir)||eregi("^\/",$dir)||eregi("data:;",$dir)||eregi(":",$dir)) $dir ="./"; -------------------------------------------------------------------------------------------- _ À§ ³»¿ëÀÇ Á¶Ä¡´Â ±Ùº»ÀûÀÎ Á¶Ä¡´Â ¾Æ´Ï¸ç ¾Ç¼ºÄÚµå ¼Ò½º »ðÀÔ¿¡ ´ëÇÑ ´ëÀÀ Á¶Ä¡·Î Á¦·Îº¸µå Ãë¾à¼ºÀÌ ÇØ°áµÇÁö ¾ÊÀ¸¸é ¹Ýº¹µÉ ¼ö ÀÖ½À´Ï´Ù. ±×·¯³ª Á¦·Îº¸µå4 °Ô½ÃÆÇÀÇ °æ¿ì¿¡´Â 2009.09.29ÀÚ·Î Á¦·Îº¸µå4 °ø½Ä ¹èÆ÷°¡ ÁßÁöµÇ¾ú±â ¶§¹®¿¡ ÇØ°áÀÌ µÇÁö ¾Ê½À´Ï´Ù. À§¿Í °°Àº Á¡À» °í·ÁÇÏ¿© Á¦·Îº¸µå4 °Ô½ÃÆÇ »ç¿ëÀÚ²²¼´Â xe·ÎÀÇ ¾÷±×·¹À̵峪 Áö¼ÓÀûÀ¸·Î º¸¾È ÆÐÄ¡°¡ °¡´ÉÇÑ °Ô½ÃÆÇÀ¸·ÎÀÇ º¯°æÀ» °í·ÁÇϽñ⠹ٶø´Ï´Ù. |
Á¦·Îº¸µå4 ¿ø°Ý ½ÇÇà º¸¾È Ãë¾àÁ¡ ÆÐÄ¡ - ½É°¢ÇÑ ¹ö±× |
IE10 ¿¡¼ °áÁ¦°¡ µÇÁö ¾ÊÀº °æ¿ì Á¶Ä¡»çÇ× |
|
|