wechat-php-sdk 存在XXE漏洞 #360
Description
代码检查:
git clone https://github.com/dodgepudding/wechat-php-sdk.git
cd wechat-php-sdk/
grep -r "simplexml_load_string" ./
./wechat.class.php: $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
./wechat.class.php: $this->_receive = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
./old_version/wechatauth.class.php: $xml = simplexml_load_string($result);
./old_version/wechatpay.class.php: $orderxml = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
./old_version/Thinkphp/Wechatpay.class.php: $orderxml = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
./old_version/Thinkphp/Wechatauth.class.php: $xml = simplexml_load_string($result);
./Thinkphp/JsSdkPay.class.php: $array_data = json_decode(json_encode(simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOCDATA)), true);
./qywechat.class.php: $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
./qywechat.class.php: $this->_receive = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
漏洞修复:
在调用simplexml_load_string函数前调用libxml_disable_entity_loader(true)禁止实体引用
漏洞证明:
略
报告来自:
niubl of Tencent Blade Team