聯系官方銷售客服
1835022288
028-61286886
關于XML解析存在的安全問題指引
微信支付商戶,最近暴露的XML外部實體注入漏洞(XML External Entity Injection,簡稱 XXE),該安全問題是由XML組件默認沒有禁用外部實體引用導致,非微信支付系統存在漏洞。
如果你在使用支付業務回調通知中,存在以下場景有使用XML解析的情況,請務必檢查是否對進行了防范。
場景1:支付成功通知;
場景2:退款成功通知;
場景3:委托代扣簽約、解約、扣款通知;
場景4:車主解約通知;
場景5:掃碼支付模式一回調;
注:APP支付的用戶端SDK不受影響,但APP支付成功回調通知里面要檢查。
微信支付會通過這幾個系統號碼通知商戶進行安全周知和詢問是否授權平臺進行安全掃描。
(0755)36560292
(0755)61954612
(0755)61954613
(0755)61954614
(0755)61954615
(0755)61954616
授權檢測支付系統操作,不會影響商戶系統安全。
注:商戶如需自我檢測XXE漏洞,可前往商戶平臺(pay.weixin.qq.com)-->產品中心-->安全醫生進行測試。
檢查及修復建議
1.如果您的后臺系統使用了官方SDK,請更新SDK到最新版本 SDK的鏈接:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=11_1
2.如果您是有系統提供商,請聯系提供商進行核查和升級修復;
3.如果您是自研系統,請聯系技術部門按以下指引核查和修復:
如有疑問,可通過郵箱WePayTS@tencent.com與我們聯系,感謝您對微信支付的支持。
XXE漏洞需要你在代碼中進行相應的設置,不同語言設置的內容不同,下面提供了幾種主流開發語言的設置指引:
【PHP】
libxml_disable_entity_loader(true);
【JAVA】
import javax.xml.parsers.DocumentBuilderFactory;import javax.xml.parsers.ParserConfigurationException; // catching unsupported featuresDocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();String FEATURE = null;try { // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
// If you can't completely disable DTDs, then at least do the following:
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// JDK7+ - http://xml.org/sax/features/external-general-entities
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
// JDK7+ - http://xml.org/sax/features/external-parameter-entities
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
// Disable external DTDs as well
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
// (http://cwe.mitre.org/data/definitions/918.html) and denial
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."
// remaining parser logic} catch (ParserConfigurationException e) { // This should catch a failed setFeature feature
logger.info("ParserConfigurationException was thrown. The feature '" +
FEATURE + "' is probably not supported by your XML processor.");
}catch (SAXException e) { // On Apache, this should be thrown when disallowing DOCTYPE
logger.warning("A DOCTYPE was passed into the XML document");
}catch (IOException e) { // XXE that points to a file that doesn't exist
logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
}
DocumentBuilder safebuilder = dbf.newDocumentBuilder();【.Net】
XmlDocument doc= new XmlDocument(); doc.XmlResolver = null;
【ASP】
Set xmldom = Server.CreateObject("MSXML2.DOMDocument")
xmldom.resolveExternals = false【Python】
from lxml import etree xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
【c/c++(常用庫為libxml2 libxerces-c)】 【libxml2】: 確保關閉配置選項:XML_PARSE_NOENT 和 XML_PARSE_DTDLOAD
2.9版本以上已修復XXE
【libxerces-c】:
如果用的是XercesDOMParser:
XercesDOMParser *parser = new XercesDOMParser; parser->setCreateEntityReferenceNodes(false);
如果是用SAXParser:
SAXParser* parser = new SAXParser; parser->setDisableDefaultEntityResolution(true);
如果是用SAX2XMLReader:
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader(); parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);
附錄:更多開源庫/語言版本的修復建議可參考:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B
看不懂
請問你的修復了嗎
沒有,要改pHp,不知改poscms的什么地方
在微信支付xxe漏洞維修團隊的幫助下終于修復,請官方也修復吧,免得大家沒頭緒,修改\api\pay\weixin\WxPayPubHelper\WxPayPubHelper.php中
....
//將xml轉為array
libxml_disable_entity_loader(true); //關鍵代碼,修復XXE
在 $array_data = .... 前添加上面一段代碼
微信安全團隊檢查通過,恢復被凍結賬號