Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello,
I would like to report for XSS vulnerability.
File Wechat.php
public function serve(){ // Source in this method $this->checkParams(); // Sink in this method $this->accessAuth(); return $this->getMessage(); }
private function checkParams(){ $this->signature = isset($_GET['signature']) && !empty($_GET['signature']) ? $_GET['signature'] : false; $this->timestamp = isset($_GET['timestamp']) && !empty($_GET['timestamp']) ? $_GET['timestamp'] : false; $this->nonce = isset($_GET['nonce']) && !empty($_GET['nonce']) ? $_GET['nonce'] : false; // The source with $_GET['echostr'] $this->echostr = isset($_GET['echostr']) && !empty($_GET['echostr']) ? $_GET['echostr'] : false; $this->encrypt_type = isset($_GET['encrypt_type']) && !empty($_GET['encrypt_type']) ? $_GET['encrypt_type'] : false; $this->msg_signature = isset($_GET['msg_signature']) && !empty($_GET['msg_signature']) ? $_GET['msg_signature'] : false; }
private function accessAuth(){ if ($this->echostr !== false) { if (! $this->checkSignature()) { @error_log('[wechat-php-sdk]accessAuth Error.', 0); } // the sink exit($this->echostr); } }
The text was updated successfully, but these errors were encountered:
CVE-2021-43678 is assigned for this report.
wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php
Sorry, something went wrong.
No branches or pull requests
Hello,
I would like to report for XSS vulnerability.
Vulnerability path
File Wechat.php
The text was updated successfully, but these errors were encountered: