微信支付接口存在XML漏洞
|
近日,网上爆出了微信支付官方SDK(软件工具开发包)存在严重的漏洞,确认该漏洞影响JAVA版本的SDK,可导致商家服务器被入侵(绕过支付的效果)。 值得重视的是,一旦攻击者获得商家的关键安全密钥,就可以通过发送伪造信息来欺骗商家而无需付费购买任何东西,明显是微信支付的大漏洞!影响范围巨大,建议用到JAVA SDK的商户快速检查并修复。 如果你在使用支付业务回调通知中,存在以下场景有使用XML解析的情况,请务必检查是否对进行了防范。 场景1:支付成功通知; 场景2:退款成功通知; 场景3:委托代扣签约、解约、扣款通知; 场景4:车主解约通知; 注:APP支付SDK不受影响。 检查及修复建议 1.如果您的后台系统使用了官方sdk,请更新sdk到最新版本 sdk的链接:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=11_1 2.如果您是有系统提供商,请联系提供商进行核查和升级修复; 3.如果您是自研系统,请联系技术部门按以下指引核查和修复: XXE漏洞需要你在代码中进行相应的设置,不同语言设置的内容不同,下面提供了几种主流开发语言的设置指引: 【PHP】 libxml_disable_entity_loader(true); 【JAVA】 import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; // catching unsupported features ... DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); String FEATURE = null; try { // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); // If you can't completely disable DTDs, then at least do the following: // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities // JDK7+ - http://xml.org/sax/features/external-general-entities FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities // JDK7+ - http://xml.org/sax/features/external-parameter-entities FEATURE = "http://xml.org/sax/features/external-parameter-entities"; dbf.setFeature(FEATURE, false); // Disable external DTDs as well FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; dbf.setFeature(FEATURE, false); // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks // (http://cwe.mitre.org/data/definitions/918.html) and denial // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." // remaining parser logic ... } catch (ParserConfigurationException e) { // This should catch a failed setFeature feature logger.info("ParserConfigurationException was thrown. The feature '" + FEATURE + "' is probably not supported by your XML processor."); ... } catch (SAXException e) { // On Apache, this should be thrown when disallowing DOCTYPE logger.warning("A DOCTYPE was passed into the XML document"); ... } catch (IOException e) { // XXE that points to a file that doesn't exist logger.error("IOException occurred, XXE may still possible: " + e.getMessage()); ... } DocumentBuilder safebuilder = dbf.newDocumentBuilder(); 【.Net】 XmlDocument doc= new XmlDocument(); doc.XmlResolver = null; 【Python】 from lxml import etree xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False)) 【c/c++(常用库为libxml2 libxerces-c)】 【libxml2】: 确保关闭配置选项:XML_PARSE_NOENT 和 XML_PARSE_DTDLOAD 2.9版本以上已修复xxe 【libxerces-c】: 如果用的是XercesDOMParser: XercesDOMParser *parser = new XercesDOMParser; parser->setCreateEntityReferenceNodes(false); 如果是用SAXParser: SAXParser* parser = new SAXParser; parser->setDisableDefaultEntityResolution(true); 如果是用SAX2XMLReader: SAX2XMLReader* reader = XMLReaderFactory::createXMLReader(); parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true); 附录:更多开源库/语言版本的修复建议可参考: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B (编辑:清远站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |