Impact
All affected OpenVK versions had a bug that gave users ability to create payment requests for negative amounts. By calling Apps.pay service api method, one could top up his balance without using vouchers or anything like that, regardless if commerce is enabled or not.
Patches
Problem has been introduced in commit d767d8e and was successfully resolved in 3c632f3. Technical Preview releases don't have this vulnerability, but it is present in nightly builds based on aftermentioned commits.
Workarounds
There are no ways to work around this issue without disabling Service API completely by blocking all requests to URL /rpc via web-server. Please note, that this will also break polls, messages, notifications and possibly other functionality.
You can also apply patch to ServiceAPI/Apps.php file only or set up filter on your proxy to deny all requests with substring "Apps.pay" in them.
Impact
All affected OpenVK versions had a bug that gave users ability to create payment requests for negative amounts. By calling
Apps.payservice api method, one could top up his balance without using vouchers or anything like that, regardless if commerce is enabled or not.Patches
Problem has been introduced in commit d767d8e and was successfully resolved in 3c632f3. Technical Preview releases don't have this vulnerability, but it is present in nightly builds based on aftermentioned commits.
Workarounds
There are no ways to work around this issue without disabling Service API completely by blocking all requests to URL
/rpcvia web-server. Please note, that this will also break polls, messages, notifications and possibly other functionality.You can also apply patch to
ServiceAPI/Apps.phpfile only or set up filter on your proxy to deny all requests with substring "Apps.pay" in them.