Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

XXE Vulnerability #400

Closed
dahua966 opened this issue Sep 13, 2020 · 1 comment
Closed

XXE Vulnerability #400

dahua966 opened this issue Sep 13, 2020 · 1 comment

Comments

@dahua966
Copy link

dahua966 commented Sep 13, 2020
edited
Loading

In class Pay2PayPayment(application\components\payment\Pay2PayPayment.php), there is an XXE vulnerability in checkResult function.

public function checkResult($hash = '')
    {
        if (isset($_POST['xml'], $_POST['sign'])) {
            $xml = base64_decode(str_replace(' ', '+', $_POST['xml']));
            $sign = base64_decode(str_replace(' ', '+', $_POST['sign']));
            $data = simplexml_load_string($xml);

The user input($_POST['xml']) has been put into simplexml_load_string without sanitation.
Although this parser does not print anything, attackers could also use blind XXE to get sensitive information.
You could use libxml_disable_entity_loader(true); to avoid this vulnerability. Thx
bethrezen added a commit that referenced this issue Sep 14, 2020
@bethrezen
xml fix for #400
fee86c7
@bethrezen
Copy link
Member

Hi, @dahua966 .
DotPlant is not supported by us anymore, but thanks for that important issue.
I've inserted a fix, please check it.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bethrezen @dahua966