niubl
niubl
**代码检查:** git clone https://github.com/dodgepudding/wechat-php-sdk.git cd wechat-php-sdk/ grep -r "simplexml_load_string" ./ ./wechat.class.php: $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./wechat.class.php: $this->_receive = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./old_version/wechatauth.class.php: $xml = simplexml_load_string($result); ./old_version/wechatpay.class.php: $orderxml = (array)simplexml_load_string($postStr,...
漏洞文件: src/Wechat.php 漏洞原因: 调用simplexml_load_string函数未禁用实体引用,导致攻击者可以读取服务器任意文件 漏洞修复: 在所有调用simplexml_load_string函数前调用libxml_disable_entity_loader(true)禁止实体引用 漏洞证明: 略 报告来自: niubl of Tencent Blade Team