Skip to content

XXE Vulnerability #400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dahua966 opened this issue Sep 13, 2020 · 1 comment
Closed

XXE Vulnerability #400

dahua966 opened this issue Sep 13, 2020 · 1 comment

Comments

@dahua966
Copy link

dahua966 commented Sep 13, 2020
edited
Loading

In class Pay2PayPayment(application\components\payment\Pay2PayPayment.php), there is an XXE vulnerability in checkResult function.

public function checkResult($hash = '')
    {
        if (isset($_POST['xml'], $_POST['sign'])) {
            $xml = base64_decode(str_replace(' ', '+', $_POST['xml']));
            $sign = base64_decode(str_replace(' ', '+', $_POST['sign']));
            $data = simplexml_load_string($xml);

The user input($_POST['xml']) has been put into simplexml_load_string without sanitation.
Although this parser does not print anything, attackers could also use blind XXE to get sensitive information.
You could use libxml_disable_entity_loader(true); to avoid this vulnerability. Thx
bethrezen added a commit that referenced this issue Sep 14, 2020
@bethrezen
xml fix for #400
fee86c7
@bethrezen
Copy link
Member

Hi, @dahua966 .
DotPlant is not supported by us anymore, but thanks for that important issue.
I've inserted a fix, please check it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bethrezen @dahua966