search

DevGroup-ru / dotplant2

E-Commerce CMS - Yii Framework 2 (yii2, shop)
http://dotplant.ru/
Other
640 stars 253 forks source link

XXE Vulnerability #400

Closed dahua966 closed 3 years ago

dahua966 commented 3 years ago

In class Pay2PayPayment(application\components\payment\Pay2PayPayment.php), there is an XXE vulnerability in checkResult function.

public function checkResult($hash = '')
    {
        if (isset($_POST['xml'], $_POST['sign'])) {
            $xml = base64_decode(str_replace(' ', '+', $_POST['xml']));
            $sign = base64_decode(str_replace(' ', '+', $_POST['sign']));
            $data = simplexml_load_string($xml);

The user input($_POST['xml']) has been put into simplexml_load_string without sanitation. Although this parser does not print anything, attackers could also use blind XXE to get sensitive information. You could use libxml_disable_entity_loader(true); to avoid this vulnerability. Thx

bethrezen commented 3 years ago

Hi, @dahua966 . DotPlant is not supported by us anymore, but thanks for that important issue. I've inserted a fix, please check it.