Possible XSS vulnerability

[enferas]

Hello,

I would like to report for XSS vulnerability.

Vulnerability path

File Wechat.php

• Line 58

public function serve(){
   // Source in this method
   $this->checkParams();
   // Sink in this method
   $this->accessAuth();
   return $this->getMessage();
}

• Line 468

private function checkParams(){
        $this->signature = isset($_GET['signature']) && !empty($_GET['signature']) ? $_GET['signature'] : false;
        $this->timestamp = isset($_GET['timestamp']) && !empty($_GET['timestamp']) ? $_GET['timestamp'] : false;
        $this->nonce = isset($_GET['nonce']) && !empty($_GET['nonce']) ? $_GET['nonce'] : false;
        // The source with $_GET['echostr']
        $this->echostr = isset($_GET['echostr']) && !empty($_GET['echostr']) ? $_GET['echostr'] : false;
        $this->encrypt_type = isset($_GET['encrypt_type']) && !empty($_GET['encrypt_type']) ? $_GET['encrypt_type'] : false;
        $this->msg_signature = isset($_GET['msg_signature']) && !empty($_GET['msg_signature']) ? $_GET['msg_signature'] : false;
    }

• Line 500

private function accessAuth(){
     if ($this->echostr !== false) {
         if (! $this->checkSignature()) {
              @error_log('[wechat-php-sdk]accessAuth Error.', 0);
          }
         // the sink
         exit($this->echostr);
    }
}

[enferas]

CVE-2021-43678 is assigned for this report.

wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php