Home | ·Î±×ÀÎ | ȸ¿ø°¡ÀÔ | ȸ»ç¼Ò°³ | ÀÌ¿ë¾à°ü | »çÀÌÆ®¸Ê .


Á¦¸ñ  | [º¸¾È] ±¹³» °ø°³ À¥ °Ô½ÃÆÇ(Á¦·Îº¸µåXE) º¸¾È ¾÷µ¥ÀÌÆ® ±Ç°í |  ³¯Â¥ [2010-06-22]
 
¡à °³¿ä
o ÃÖ±Ù ±¹³» PHP ±â¹ÝÀÇ °ø°³ À¥ °Ô½ÃÆÇ Á¦·Îº¸µå XE¿¡ ´ëÇÑ XSS °ü·Ã º¸¾È Ãë¾àÁ¡ÀÌ ¹ß°ßµÊ[1]
o ÇØ´ç Ãë¾àÁ¡À» ÀÌ¿ëÇÑ È¨ÆäÀÌÁö º¯Á¶ ¹× ¿ø°Ý ½ÇÇà À§ÇùÀÌ ¹ß»ýÇÔ¿¡ µû¶ó, »ç¿ëÀÚ ÁÖÀÇ ¹×
Á¶¼ÓÇÑ ÆÐÄ¡°¡ ÇÊ¿äÇÔ
¡à ¿µÇâ
o ¿ø°ÝÀÇ »ç¿ëÀÚ°¡ Á¦·Îº¸µå XE °ü¸®ÀÚ ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖÀ½
o ȹµæÇÑ °ü¸®ÀÚ ±ÇÇÑÀ» ÀÌ¿ëÇÏ¿© ½Ã½ºÅÛ ³»ÀÇ ÀÓÀÇÀÇ ÆÄÀÏ Àбâ, PHP ¸í·É½ÇÇà µîÀÌ °¡´ÉÇϸç,
À̸¦ ÀÌ¿ëÇÑ À¥ º¯Á¶, ¿ø°Ý ½ÇÇà µîÀÌ ¹ß»ýÇÒ ¼ö ÀÖÀ½
¡à ÇØ´ç½Ã½ºÅÛ
o ¿µÇâ ¹Þ´Â ½Ã½ºÅÛ
- Á¦·Îº¸µå XE 1.4.0.9 ÀÌÇÏ ¹öÀü
o ¿µÇâ ¹Þ´Â ¾Ê´Â ½Ã½ºÅÛ
- Á¦·Îº¸µå XE 1.4.0.10 ¹öÀü
¡à ÇØ°á¹æ¾È
o ½Å±Ô Á¦·Îº¸µå XE ¼³Ä¡ »ç¿ëÀÚÀÇ °æ¿ì [3]
- "°ø½Ä»çÀÌÆ®(www.xpressengine.com) - Download - ÀÚ·áºÐ·ù(XE Core)" ¸Þ´º¿¡¼­ Ãë¾àÁ¡ÀÌ
ÆÐÄ¡µÈ XpressEngine Core ver. 1.4.0.10 ¹öÀüÀ» ´Ù¿î·ÎµåÇÏ¿© ¼³Ä¡

o Ãë¾àÁ¡ÀÌ Á¸ÀçÇÏ´Â ¹öÀüÀÇ ±âÁ¸ Á¦·Îº¸µå XE »ç¿ëÀÚÀÇ °æ¿ì [1]
- º¯°æµÈ ÀϺΠÆÄÀÏ ¾÷µ¥ÀÌÆ®
* °ø½Ä»çÀÌÆ®(www.xpressengine.com)¿¡ Ãë¾àÁ¡ÀÌ ÆÐÄ¡µÈ xe.1.4.0.10.changed.tgz ¸¦
´Ù¿î·Îµå ¹Þ¾Æ ¾ÐÃàÀ» ÇØÁ¦ÇÏ¿© config.inc.php ÆÄÀÏ°ú func.inc.php ÆÄÀÏÀ» ¿î¿µÁßÀÎ XEÀÇ
config µð·ºÅ丮¿¡ ¼³Ä¡
- ¶Ç´Â ¼Ò½º ÄÚµå ¼öÁ¤
* ±âÁ¸ ./config/func.inc.php ÆÄÀÏ ³»¿ë ÀϺθ¦ ¾Æ·¡¿Í °°ÀÌ ¼öÁ¤
=====================================================================================================
$attrs = preg_replace(''/(\r|\n| )+on(click|dblclick|mousedown|mouseup|mouseover|mouseout|mousemove|
keydown|keyup|keypress|load|unload|abort|error|select|change|submit|reset|resize|scroll|focus|blur|
forminput|input|invaild|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|mousewheel|scroll|
canplay|canplaythrough|durationchange|emptied|ended|error|loadeddata|loadstart|pause|play|playing|
progress|ratechange|readystatechange|seeked|seeking|stalled|suspend|timeupdate|volumechange|waiting|
message|show)+([= ]+)/is'', '' _on$2='',$attrs);
=====================================================================================================

¡à »ç¿ëÀÚ ÁÖÀÇ»çÇ×
o »ç¿ëÀÚµéÀº Á¦·Îº¸µå XEÀÇ °ø½Ä °øÁö»çÇ×[2]À» ÁÖ±âÀûÀ¸·Î È®ÀÎÇÏ¿©, ½Å±Ô Ãë¾àÁ¡¿¡ ´ëÇÑ Á¤º¸¸¦
¼÷ÁöÇÏ°í ÀÌ¿¡ µû¸¥ Á¶Ä¡¸¦ ÃëÇؾßÇÔ
¡à ¿ë¾î Á¤¸®
o Á¦·Îº¸µå(ZeroBoard) XE: PHP ¾ð¾î·Î ÀÛ¼ºµÈ ȨÆäÀÌÁö¿ë °Ô½ÃÆÇ ¼ÒÇÁÆ®¿þ¾î ¶Ç´Â ÇÁ·¹ÀÓ¿öÅ©
o XSS(Cross Site Scripting) Ãë¾àÁ¡ : À¥»çÀÌÆ® °ü¸®ÀÚ°¡ ¾Æ´Ñ ÀÌ°¡ À¥ ÆäÀÌÁö¿¡ Ŭ¶óÀ̾ðÆ®
»çÀÌµå ½ºÅ©¸³Æ®¸¦ »ðÀÔÇÏ¿© ´Ù¸¥ »ç¿ëÀÚ°¡ À̸¦ ½ÇÇàÇÏ°Ô²û Çã¿ëÇÏ´Â Ãë¾àÁ¡
o PHP: µ¿ÀûÀÎ À¥»çÀÌÆ®¸¦ À§ÇÑ ¼­¹ö Ãø ½ºÅ©¸³Æ® ¾ð¾î
¡à ±âŸ ¹®ÀÇ»çÇ×
o IE(Internet Explorer)°¡ ÇØ´ç Ãë¾àÁ¡¿¡ ¿µÇâÀ» ¹Þ³ª¿ä?
- ¾Æ´Õ´Ï´Ù. ÇØ´ç Ãë¾àÁ¡Àº HTML5·Î ÀÎÇÑ Ãë¾àÁ¡À̹ǷΠÇöÀç HTML5¸¦ Áö¿øÇÏÁö ¾Ê´Â IE
(Internet Explorer)´Â ÇØ´çµÇÁö ¾Ê½À´Ï´Ù. ÇÏÁö¸¸ ´Ù¸¥ ½Å±Ô Ãë¾àÁ¡À¸·Î ÀÎÇÑ ÇÇÇظ¦ ÀÔÀ¸½Ç ¼ö
ÀÖÀ¸¹Ç·Î ÀÌ¿ëÀÚ ÁÖÀÇ»çÇ×À» ¼÷ÁöÇÏ½Ã±æ ¹Ù¶ø´Ï´Ù.
o Á¦·Îº¸µå XEÀÇ º¸¾È°ü·Ã °øÁö»çÀÌÆ®¸¦ ¿î¿µ Çϳª¿ä?
- ³× ¿î¿µµË´Ï´Ù. Á¦·Îº¸µå XE °ø½Ä °øÁö»çÇ× »çÀÌÆ®[2]´Â Á¦·Îº¸µå XEÀÇ Ãë¾àÁ¡ Á¤º¸ ¹×
±âŸ Á¤º¸ °øÀ¯¸¦ ¸ñÀûÀ¸·Î ¿î¿µµÇ°í ÀÖ½À´Ï´Ù.
o Çѱ¹ÀÎÅͳÝÁøÈï¿ø ÀÎÅͳÝħÇØ´ëÀÀ¼¾ÅÍ: ±¹¹ø¾øÀÌ 118
[Âü°í»çÀÌÆ®]
[1] http://www.xpressengine.com/18776625
[2] http://www.xpressengine.com/notice
[3] http://www.xpressengine.com/?mid=download&category_srl=18322907&package_srl=18325662

Ãâó : http://www.krcert.or.kr/secureNoticeView.do