| عنوان | StarSea99 starsea-mall 1.0 Improper Access Controls |
|---|
| الوصف | # Summary
The starsea-mall project is an e-commerce system developed by StarSea99, which includes the starsea-mall front-end system and the back-end management system. It is built on the Spring Boot 2.X framework and related technology stacks.
starsea-mall version 1.0 contains a front-end arbitrary user login vulnerability. This vulnerability allows an attacker to modify the userId parameter in the request to obtain and control other users' account information, thereby achieving arbitrary user login.
This vulnerability arises due to the inconsistent use of id values during the update and retrieval of user data, allowing an attacker to bypass authentication and gain unauthorized access to other users' accounts.
# Details
## Steps to Reproduce:
Click on the registration button, complete the registration process, and log in.
Navigate to the personal center.
Modify personal information.
Confirm the changes, capture the request using a packet capture tool (e.g., Burp Suite), and modify the userId value in the request.
Release the modified request and observe that the response data now belongs to another user.
## Related Code Logic:
The vulnerability is located in the updateInfo method within the com.siro.mall.controller.mall.UserController class.
The method calls userService.updateUserInfo, where the logic is flawed.
The method takes two parameters: a User object converted from the incoming JSON data and a Session object.
The code retrieves the id from the Session and updates the user information corresponding to that id.
However, after the update, the system retrieves and returns the user data based on the id value from the incoming User object, rather than the id from the Session.
This means the updated user and the returned user data are not the same. Additionally, the id value in the Session is also modified to the id controlled by the attacker.
As a result, during subsequent login checks, the system uses the id value controlled by the attacker, leading to arbitrary user login. |
|---|
| المصدر | ⚠️ https://wiki.shikangsi.com/post/share/baecf028-1116-4600-ae9c-f655cc93c29b |
|---|
| المستخدم | wiki (UID 72124) |
|---|
| ارسال | 05/03/2025 03:52 PM (1 سنة منذ) |
|---|
| الاعتدال | 07/03/2025 07:17 AM (2 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 298903 [StarSea99 starsea-mall 1.0/2.X com.siro.mall.controller.mall.UserController /personal/updateInfo updateUserInfo userId تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|