Yansongda Pay WeChat Signature Verification Bypass Vulnerability

A vulnerability exists in the Yansongda Pay SDK for WeChat payment services, in versions through 3.7.19. The issue arises in the 'verify_wechat_sign()' function, located in 'src/Functions.php', which fails to verify signatures for requests that indicate 'localhost' as the host. This flaw can be exploited by sending a manipulated HTTP request to the WeChat Pay callback endpoint, effectively bypassing the RSA signature verification. As a result, fraudulent WeChat Pay payment notifications can be sent, causing applications to incorrectly mark orders as paid.

Impact

Exploitation of this vulnerability allows attackers to forge WeChat Pay payment success notifications, leading to unauthorized order payments. This could result in financial loss for businesses and service providers.

Reproduction

To reproduce this vulnerability, send a POST request to the WeChat Pay callback URL with the 'Host' header set to 'localhost'. Include the necessary WeChat Pay headers, such as 'Wechatpay-Serial', 'Wechatpay-Timestamp', 'Wechatpay-Nonce', and 'Wechatpay-Signature'. The 'Wechatpay-Signature' can be a placeholder value, as the signature verification will be skipped entirely. Once the request is received, the 'verify_wechat_sign()' function will return without performing any signature checks, allowing the application to process the notification as if it were legitimate.

Remediation

Users can update to Yansongda Pay version 3.7.20 or later, where this vulnerability has been fixed.