Executive Summary

This vulnerability exists in the Pay open-source payment SDK extension package for Chinese payment services. Before version 3.7.20, the function verify_wechat_sign() in the source code would skip all signature verification if the incoming HTTP request reported 'localhost' as the host.

An attacker can exploit this by sending a specially crafted HTTP request to the WeChat Pay callback endpoint with a 'Host: localhost' header. This causes the system to bypass the RSA signature verification entirely.

As a result, the attacker can forge fake WeChat Pay payment success notifications, potentially tricking the application into marking orders as paid even though no real payment was made.

This issue was fixed in version 3.7.20 of the SDK.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to bypass payment verification.

Specifically, attackers can send fake payment success notifications to your application, causing it to incorrectly mark orders as paid without any actual payment.

This can lead to financial losses, fraud, and disruption of business operations.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the Pay SDK to version 3.7.20 or later, where the issue with skipping signature verification for requests with Host: localhost is fixed.

Additionally, as a temporary measure, ensure that your application does not accept or trust HTTP requests with a Host header set to localhost on the WeChat Pay callback endpoint.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the WeChat Pay callback endpoint and checking for requests that include a 'Host: localhost' header. Such requests indicate an attempt to bypass signature verification.

You can use network monitoring or web server access logs to identify suspicious requests with the 'Host: localhost' header targeting the callback endpoint.

Example commands to detect such requests include:

• Using grep on web server logs: grep -i 'Host: localhost' /path/to/access.log
• Using tcpdump to capture HTTP traffic and filter for 'Host: localhost': sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host: localhost'
• Using curl to test the endpoint manually: curl -H 'Host: localhost' http://yourserver/wechatpay/callback

If such requests are found, it indicates potential exploitation attempts of this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass signature verification and forge fake payment success notifications, potentially causing applications to mark orders as paid without actual payment.

Such unauthorized payment processing could lead to financial discrepancies and undermine data integrity, which may impact compliance with standards and regulations that require accurate transaction records and secure processing, such as GDPR and HIPAA.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Useful 0 Not Useful 0