wechat-php-sdk 存在XXE漏洞

[niubl]

代码检查： git clone https://github.com/dodgepudding/wechat-php-sdk.git cd wechat-php-sdk/ grep -r "simplexml_load_string" ./

./wechat.class.php: $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./wechat.class.php: $this->_receive = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./old_version/wechatauth.class.php: $xml = simplexml_load_string($result); ./old_version/wechatpay.class.php: $orderxml = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./old_version/Thinkphp/Wechatpay.class.php: $orderxml = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./old_version/Thinkphp/Wechatauth.class.php: $xml = simplexml_load_string($result); ./Thinkphp/JsSdkPay.class.php: $array_data = json_decode(json_encode(simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOCDATA)), true); ./qywechat.class.php: $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); ./qywechat.class.php: $this->_receive = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);

漏洞修复： 在调用simplexml_load_string函数前调用libxml_disable_entity_loader(true)禁止实体引用

漏洞证明： 略

报告来自： niubl of Tencent Blade Team