GHSA-xff3-5c9p-2mr4

Summary

A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws:

1. The Stripe webhook endpoint does not reject requests when StripeWebhookSecret is empty (the default).
2. When the HMAC secret is empty, any attacker can compute valid webhook signatures, effectively bypassing signature verification entirely.
3. The Recharge function does not validate that the order's PaymentMethod matches the callback source, enabling cross-gateway exploitation — an order created via any payment method (e.g., Epay) can be fulfilled through a forged Stripe webhook.

Affected Components

• controller/topup_stripe.go — StripeWebhook(), sessionCompleted()
• model/topup.go — Recharge(), RechargeCreem(), RechargeWaffo()
• controller/topup.go — EpayNotify()
• controller/topup_creem.go — CreemAdaptor.RequestPay() (missing PaymentMethod field)
• router/api-router.go — webhook route registered without any guard

CWE Classification

• CWE-345: Insufficient Verification of Data Authenticity
• CWE-1188: Initialization with an Insecure Default (empty webhook secret)
• CWE-863: Incorrect Authorization (cross-gateway order fulfillment)

Vulnerability Details

Flaw 1: Empty Webhook Secret Bypasses Signature Verification

The StripeWebhookSecret setting defaults to an empty string "". The Stripe Go SDK (webhook.ConstructEventWithOptions) does not reject empty secrets — it computes HMAC-SHA256 with an empty key, producing a deterministic and publicly computable signature.

Vulnerable code (controller/topup_stripe.go):

func StripeWebhook(c *gin.Context) {
    // No check for empty StripeWebhookSecret
    payload, _ := io.ReadAll(c.Request.Body)
    signature := c.GetHeader("Stripe-Signature")
    endpointSecret :=...