微信支付接口存在XML漏洞

北京赛车pk10开奖直播 人参与 | 时间:2018年07月06日 14:03

本文地址:http://www.minimicrocar.com/blog/post/10497.html
文章摘要:微信支付接口存在XML漏洞,交警部门提醒广大司机,注意按照标志、标线,择路分流绕行。  美国伊利诺伊理工大学斯图尔特商学院经济学教授哈伊里·图尔克认为,与一些西方国家政党受选举政治影响而更多追求短期目标不同,中国共产党一直着眼长远,并且有能力将目标变为现实。”联合国维持和平行动部发言人尼克·伯恩巴克近日接受新华社记者专访时说,多年来,中国对维和事业的贡献一直在稳步增加,中国对维和事业的重视以及贡献向其他国家传递了积极信息,树立了良好榜样。,”话已至此,现场有股东希望继续聘请董明珠掌管格力,认为董明珠仍然是最好的人选。同时,随着我国境内资本市场扩大开放,境外资本参与国内资本市场的渠道有望进一步拓宽,对境外资本吸引力增强,可能将带来资本流入显著增加,有利于人民币企稳升值。  6月22日,中国铁路总公司专家组在中铁大桥局汉十铁路3A标施工现场,组织对线路无砟轨道首件工程进行评估验收。。

近日,网上爆出了微信支付官方SDK(软件工具开发包)存在严重的漏洞,确认该漏洞影响JAVA版本的SDK,可导致商家服务器被入侵(绕过支付的效果)。

值得重视的是,一旦攻击者获得商家的关键安全密钥,就可以通过发送伪造信息来欺骗商家而无需付费购买任何东西,明显是微信支付的大漏洞!影响范围巨大,建议用到JAVA SDK的商户快速检查并修复。

如果你在使用支付业务回调通知中,存在以下场景有使用XML解析的情况,请务必检查是否对进行了防范。

场景1:支付成功通知;

场景2:退款成功通知;

场景3:委托代扣签约、解约、扣款通知;

场景4:车主解约通知;

注:APP支付SDK不受影响。

检查及修复建议

1.如果您的后台系统使用了官方sdk,请更新sdk到最新版本 sdk的链接:http://www.minimicrocar.com/712/wiki/doc/api/jsapi.php?chapter=11_1

2.如果您是有系统提供商,请联系提供商进行核查和升级修复;

3.如果您是自研系统,请联系技术部门按以下指引核查和修复:

XXE漏洞需要你在代码中进行相应的设置,不同语言设置的内容不同,下面提供了几种主流开发语言的设置指引:

【PHP】

libxml_disable_entity_loader(true);

【JAVA】

import javax.xml.parsers.DocumentBuilderFactory;

import javax.xml.parsers.ParserConfigurationException; // catching unsupported features

...

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

String FEATURE = null;

try {

// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented

// Xerces 2 only - http://www.minimicrocar.com/007/xerces2-j/features.html#disallow-doctype-decl

FEATURE = "http://www.minimicrocar.com/110/xml/features/disallow-doctype-decl";

dbf.setFeature(FEATURE, true);

// If you can't completely disable DTDs, then at least do the following:

// Xerces 1 - http://www.minimicrocar.com/120/xerces-j/features.html#external-general-entities

// Xerces 2 - http://www.minimicrocar.com/029/xerces2-j/features.html#external-general-entities

// JDK7+ - http://www.minimicrocar.com/959/sax/features/external-general-entities

FEATURE = "http://www.minimicrocar.com/350/sax/features/external-general-entities";

dbf.setFeature(FEATURE, false);

// Xerces 1 - http://www.minimicrocar.com/548/xerces-j/features.html#external-parameter-entities

// Xerces 2 - http://www.minimicrocar.com/408/xerces2-j/features.html#external-parameter-entities

// JDK7+ - http://www.minimicrocar.com/156/sax/features/external-parameter-entities

FEATURE = "http://www.minimicrocar.com/767/sax/features/external-parameter-entities";

dbf.setFeature(FEATURE, false);

// Disable external DTDs as well

FEATURE = "http://www.minimicrocar.com/577/xml/features/nonvalidating/load-external-dtd";

dbf.setFeature(FEATURE, false);

// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"

dbf.setXIncludeAware(false);

dbf.setExpandEntityReferences(false);

// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then

// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks

// (http://www.minimicrocar.com/592/data/definitions/918.html) and denial

// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."

// remaining parser logic

...

} catch (ParserConfigurationException e) {

// This should catch a failed setFeature feature

logger.info("ParserConfigurationException was thrown. The feature '" +

FEATURE + "' is probably not supported by your XML processor.");

...

}

catch (SAXException e) {

// On Apache, this should be thrown when disallowing DOCTYPE

logger.warning("A DOCTYPE was passed into the XML document");

...

}

catch (IOException e) {

// XXE that points to a file that doesn't exist

logger.error("IOException occurred, XXE may still possible: " + e.getMessage());

...

}

DocumentBuilder safebuilder = dbf.newDocumentBuilder();

【.Net】

XmlDocument doc= new XmlDocument();

doc.XmlResolver = null;

【Python】

from lxml import etree

xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))

【c/c++(常用库为libxml2 libxerces-c)】

【libxml2】:

确保关闭配置选项:XML_PARSE_NOENT 和 XML_PARSE_DTDLOAD

2.9版本以上已修复xxe

【libxerces-c】:

如果用的是XercesDOMParser:

XercesDOMParser *parser = new XercesDOMParser;

parser->setCreateEntityReferenceNodes(false);

如果是用SAXParser:

SAXParser* parser = new SAXParser;

parser->setDisableDefaultEntityResolution(true);

如果是用SAX2XMLReader:

SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();

parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);

附录:更多开源库/语言版本的修复建议可参考:

http://www.minimicrocar.com/472/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B

顶: 1踩: 0

来源:,欢迎分享,(QQ/微信:13340454)