近日,网上爆出了微信付出官方SDK(软件工具开发包)存在紧张的漏洞,确认该漏洞影响JAVA版本的SDK河北人事考试,可导致商家服务器被入侵(绕过付出的结果)。值得正视的是,一旦攻击者获得商家的关键安全密钥,就可以通过发送伪造信息来诳骗商家而无需付费购买任何东西,显明是微信付出的大漏洞!影响范围伟大北京正规搬家,建议用到JAVA SDK的商户快速检查并修复。假如你在使用付出营业回调关照中,存在以了局景有使用XML解析的情况,请务必检查是否对进行了提防。场景1:付出成功关照;场景2:退款成功关照;场景3:委......
标签:付出,接口,存在,漏洞 发布时间:2021年03月09日 浏览73次
近日,网上爆出了微信付出官方SDK(软件工具开发包)存在紧张的漏洞,确认该漏洞影响JAVA版本的SDK,可导致商家服务器被入侵(绕过付出的结果)。
值得正视的是,一旦攻击者获得商家的关键安全密钥,就可以通过发送伪造信息来诳骗商家而无需付费购买任何东西,显明是微信付出的大漏洞!影响范围伟大,建议用到JAVA SDK的商户快速检查并修复。
假如你在使用付出营业回调关照中,存在以了局景有使用XML解析的情况,请务必检查是否对进行了提防。
场景1:付出成功关照;
场景2:退款成功关照;
场景3:委托代扣签约、解约、扣款关照;
场景4:车主解约关照;
注:APP付出SDK不受影响。
检查及修复建议
1.假如您的后台体系使用了官方sdk,请更新sdk到最新版本 sdk的链接:https://pay.weixin.qq8654/wiki/doc/api/jsapi.php?chapter=11_1
2.假如您是有体系提供商,请联系提供商进行核查和升级修复;
3.假如您是自研体系顾问,请联系技术部门按以下指引核查和修复:
XXE漏洞必要你在代码中进行响应的设置,不同语言设置的内容不同,下面提供了几种主流开发语言的设置指引:
【PHP】
libxml_disable_entity_loader(true);
【JAVA】
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
...
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
try {
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - https://xerces.apache0343/xerces2-j/features.html#disallow-doctype-decl
FEATURE = "https://apache0343/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
// If you can't completely disable DTDs, then at least do the following:
// Xerces 1 - https://xerces.apache0343/xerces-j/features.html#external-general-entities
// Xerces 2 - https://xerces.apache0343/xerces2-j/features.html#external-general-entities
// JDK7+ - https://xml0343/sax/features/external-general-entities
FEATURE = "https://xml0343/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
// Xerces 1 - https://xerces.apache0343/xerces-j/features.html#external-parameter-entities
// Xerces 2 - https://xerces.apache0343/xerces2-j/features.html#external-parameter-entities
// JDK7+ - https://xml0343/sax/features/external-parameter-entities
FEATURE = "https://xml0343/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
// Disable external DTDs as well
FEATURE = "https://apache0343/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
// (https://cwe.mitre0343/data/definitions/918.html) and denial
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// This should catch a failed setFeature feature
logger2412("ParserConfigurationException was thrown. The feature '" +
FEATURE + "' is probably not supported by your XML processor.");
...
}
catch (SAXException e) {
// On Apache, this should be thrown when disallowing DOCTYPE
logger.warning("A DOCTYPE was passed into the XML document");
...
}
catch (IOException e) {
// XXE that points to a file that doesn't exist
logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
...
}
DocumentBuilder safebuilder = dbf.newDocumentBuilder();
【.Net】
XmlDocument doc= new XmlDocument();
doc.XmlResolver = null;
【Python】
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
【c/c++(常用库为libxml2 libxerces-c)】
【libxml2】:
确保关闭配置选项:XML_PARSE_NOENT 和 XML_PARSE_DTDLOAD
2.9版本以上已修复xxe
【libxerces-c】:
假如用的是XercesDOMParser:
XercesDOMParser *parser = new XercesDOMParser;
parser->setCreateEntityReferenceNodes(false);
假如是用SAXParser:
SAXParser* parser = new SAXParser;
parser->setDisableDefaultEntityResolution(true);
假如是用SAX2XMLReader:
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();
parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);
附录:更多开源库/语言版本的修复建议可参考:
https://www.embd.cn/owasp0343/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B
w88优德中文版w88刀塔BAIDU SEO OPT
相关文章RELATED ARTICLES