亚博买球

信息安全

信息安全 亚博买球 > 信息安全 > 信息安全 > 正文

【漏洞预警 - 亚博买球】微信支付的 JAVA SDK 存在 XXE 漏洞

发布时间:2019-06-29 浏览次数:次

亚博买球jinri,guowaianquanshequgongbuweixinzhifuguanfangsdkcunzaiyanzhongloudong,kedaozhishangjiafuwuqibeiruqin(raoguozhifudexiaoguo)。muqian,loudongxiangxixinxiyijigongjifangshiyibeigongkai,yingxiangfanweijuda(yiyoumomo、vivoquerencunzaigailoudong),jianyiyongdaojava sdkdeyonghukuaisujianchabingxiufu,guanzhucunzaizhifuchangjingdeyewuxitonganquan。

漏洞概述

亚博买球xmlwaibushitizhuru(xml external entity,jianchengxxe):dangyunxuyinyongwaibushitishi,tongguogouzaoeyineirong,kedaozhiduqurenyiwenjian、zhixingxitongmingling、tanceneiwangduankou、gongjineiwangwangzhandengweihai。

漏洞危害

ciciloudongkeshigongjizhexiangtongzhiurlgoujianeyiyouxiaopayload,yibiangenjuxuyaoqiequshangjiafuwuqiderenhexinxi。yidangongjizhehuodeshangjiadeguanjiananquanmiyao(md5-keyhemerchant-iddeng),tashenzhikeyitongguofasongweizaoxinxilaiqipianshangjiaerwuxufufeigoumairenhedongxi。muqianweixinguanfangshangweiduisdkjinxingxiufu。xianyiyoumomo、vivoyijingyanzhengbeigailoudongyingxiang。

受影响范围

weixinzhifuguanfangjava sdk

修复建议

亚博买球1、yonghukeshiyongkaifayuyantigongdejinyongwaibushitidefangfa。javajinyongwaibushitidedaimaruxia:

documentbuilderfactory dbf =documentbuilderfactory.newinstance(); dbf.setexpandentityreferences(false);

cankaolianjie:

banquansuoyou:yabomaiqiu

dizhi:hubeishengwuhanshihongshanquluoyulu1037hao youbian:430074 dianhua: chuanzhen:

亚博APP 亚博APP 亚博APP 亚博APP 亚博APP 亚博APP