{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wechatpay/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yansongda/pay"],"_cs_severities":["high"],"_cs_tags":["wechatpay","signature-bypass","payment-fraud","webserver"],"_cs_type":"advisory","_cs_vendors":["Yansongda"],"content_html":"\u003cp\u003eThe \u003ccode\u003everify_wechat_sign()\u003c/code\u003e function in versions 3.7.19 and earlier of the \u003ccode\u003eyansongda/pay\u003c/code\u003e package contains a vulnerability that allows attackers to bypass signature verification for WeChat Pay callbacks. Specifically, if the \u003ccode\u003eHost\u003c/code\u003e header of an incoming HTTP request to the callback endpoint is set to \u003ccode\u003elocalhost\u003c/code\u003e, the function will skip the RSA signature check entirely. This is due to an unconditional check within the \u003ccode\u003everify_wechat_sign()\u003c/code\u003e function in \u003ccode\u003esrc/Functions.php\u003c/code\u003e. This vulnerability can be exploited to create fake payment success notifications, potentially leading to fraudulent transactions. The attack requires no authentication and can be performed purely over the network. While real-world exploitation might be limited by web application firewalls or reverse proxies filtering the Host header, the underlying vulnerability remains a risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable application using \u003ccode\u003eyansongda/pay\u003c/code\u003e for WeChat Pay integrations (version \u0026lt;= 3.7.19).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the WeChat Pay callback endpoint (e.g., \u003ccode\u003e/payment/wechat/callback\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the header \u003ccode\u003eHost: localhost\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request also contains other required WeChat Pay headers like \u003ccode\u003eWechatpay-Serial\u003c/code\u003e, \u003ccode\u003eWechatpay-Timestamp\u003c/code\u003e, \u003ccode\u003eWechatpay-Nonce\u003c/code\u003e, and \u003ccode\u003eWechatpay-Signature\u003c/code\u003e but the \u003ccode\u003eWechatpay-Signature\u003c/code\u003e value can be arbitrary.\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON payload mimicking a successful transaction notification with a forged \u003ccode\u003eid\u003c/code\u003e and \u003ccode\u003eevent_type\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003everify_wechat_sign()\u003c/code\u003e function in \u003ccode\u003esrc/Functions.php\u003c/code\u003e receives the request.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003eHost: localhost\u003c/code\u003e header, the signature verification step is skipped.\u003c/li\u003e\n\u003cli\u003eThe application incorrectly processes the forged notification and marks the order as paid, resulting in the attacker receiving goods or services without payment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to significant payment fraud, as attackers can receive goods or services without making actual payments. The attack requires no authentication and can be performed remotely. Affected applications are those utilizing the \u003ccode\u003eyansongda/pay\u003c/code\u003e package version 3.7.19 or earlier for WeChat Pay callback handling. The impact is primarily economic, with potential losses stemming from unfulfilled payments. While real-world exploitation may be mitigated by network-level controls, the vulnerability poses a risk to unpatched systems or misconfigured environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eyansongda/pay\u003c/code\u003e package to a version greater than 3.7.19 to remediate CVE-2026-33661.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to block or sanitize \u003ccode\u003eHost\u003c/code\u003e headers containing \u003ccode\u003elocalhost\u003c/code\u003e on WeChat Pay callback endpoints, mitigating the vulnerability even in unpatched systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WeChat Pay Callback with Localhost Host Header\u003c/code\u003e to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of your reverse proxy (e.g., Nginx, Apache) to ensure it properly validates and sanitizes incoming HTTP request headers, especially the \u003ccode\u003eHost\u003c/code\u003e header, preventing attackers from injecting malicious values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wechat-pay-bypass/","summary":"A vulnerability exists in yansongda/pay where signature verification is skipped when the Host header is `localhost`, allowing attackers to forge payment notifications.","title":"WeChat Pay Callback Signature Bypass via Host Header Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-wechat-pay-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Wechatpay","version":"https://jsonfeed.org/version/1.1"}