<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Wechatpay - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/wechatpay/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 08 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/wechatpay/feed.xml" rel="self" type="application/rss+xml"/><item><title>WeChat Pay Callback Signature Bypass via Host Header Manipulation</title><link>https://feed.craftedsignal.io/briefs/2024-01-wechat-pay-bypass/</link><pubDate>Mon, 08 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wechat-pay-bypass/</guid><description>A vulnerability exists in yansongda/pay where signature verification is skipped when the Host header is `localhost`, allowing attackers to forge payment notifications.</description><content:encoded><![CDATA[<p>The <code>verify_wechat_sign()</code> function in versions 3.7.19 and earlier of the <code>yansongda/pay</code> package contains a vulnerability that allows attackers to bypass signature verification for WeChat Pay callbacks. Specifically, if the <code>Host</code> header of an incoming HTTP request to the callback endpoint is set to <code>localhost</code>, the function will skip the RSA signature check entirely. This is due to an unconditional check within the <code>verify_wechat_sign()</code> function in <code>src/Functions.php</code>. This vulnerability can be exploited to create fake payment success notifications, potentially leading to fraudulent transactions. The attack requires no authentication and can be performed purely over the network. While real-world exploitation might be limited by web application firewalls or reverse proxies filtering the Host header, the underlying vulnerability remains a risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable application using <code>yansongda/pay</code> for WeChat Pay integrations (version &lt;= 3.7.19).</li>
<li>Attacker crafts a malicious HTTP POST request targeting the WeChat Pay callback endpoint (e.g., <code>/payment/wechat/callback</code>).</li>
<li>The crafted request includes the header <code>Host: localhost</code>.</li>
<li>The request also contains other required WeChat Pay headers like <code>Wechatpay-Serial</code>, <code>Wechatpay-Timestamp</code>, <code>Wechatpay-Nonce</code>, and <code>Wechatpay-Signature</code> but the <code>Wechatpay-Signature</code> value can be arbitrary.</li>
<li>The request body contains a JSON payload mimicking a successful transaction notification with a forged <code>id</code> and <code>event_type</code>.</li>
<li>The vulnerable <code>verify_wechat_sign()</code> function in <code>src/Functions.php</code> receives the request.</li>
<li>Due to the <code>Host: localhost</code> header, the signature verification step is skipped.</li>
<li>The application incorrectly processes the forged notification and marks the order as paid, resulting in the attacker receiving goods or services without payment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to significant payment fraud, as attackers can receive goods or services without making actual payments. The attack requires no authentication and can be performed remotely. Affected applications are those utilizing the <code>yansongda/pay</code> package version 3.7.19 or earlier for WeChat Pay callback handling. The impact is primarily economic, with potential losses stemming from unfulfilled payments. While real-world exploitation may be mitigated by network-level controls, the vulnerability poses a risk to unpatched systems or misconfigured environments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>yansongda/pay</code> package to a version greater than 3.7.19 to remediate CVE-2026-33661.</li>
<li>Implement a web application firewall (WAF) rule to block or sanitize <code>Host</code> headers containing <code>localhost</code> on WeChat Pay callback endpoints, mitigating the vulnerability even in unpatched systems.</li>
<li>Deploy the Sigma rule <code>Detect WeChat Pay Callback with Localhost Host Header</code> to identify attempts to exploit this vulnerability.</li>
<li>Review and harden the configuration of your reverse proxy (e.g., Nginx, Apache) to ensure it properly validates and sanitizes incoming HTTP request headers, especially the <code>Host</code> header, preventing attackers from injecting malicious values.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wechatpay</category><category>signature-bypass</category><category>payment-fraud</category><category>webserver</category></item></channel></rss>