| Titel | youlai-mall latest Improper Control of Resource Identifiers |
|---|
| Beschreibung | 1. youlai-mall improper access control on App order payment enables horizontal privilege escalation via orderSn , allowing unauthorized deduction from another user’s balance.
2. Vulnerability Location
orderSn: POST /mall-oms/app-api/v1/orders/payment
3. Code Analysis
Controller: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java
@PostMapping("/payment") → orderService.payOrder(paymentForm)
Service: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/app/impl/OrderServiceImpl.java
payOrder(OrderPaymentForm) : loads order by orderSn , checks only UNPAID , no ownership check ( order.getMemberId() == SecurityUtils.getMemberId() missing).
Balance path: balancePay(order) deducts the order owner’s balance:
Long memberId = order.getMemberId();
memberFeignClient.deductBalance(memberId, order.getPaymentAmount());
Then deducts stock and updates order status to PAID .
WeChat path: wxJsapiPay(appId, orderSn, paymentAmount) uses the current user’s openid (via SecurityUtils.getMemberId() ), still without verifying that the payer owns the order.
|
|---|
| Quelle | ⚠️ https://github.com/Hwwg/cve/issues/24 |
|---|
| Benutzer | huangweigang (UID 88993) |
|---|
| Einreichung | 07.12.2025 07:01 (vor 6 Monaten) |
|---|
| Moderieren | 25.12.2025 10:50 (18 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 338412 [youlaitech youlai-mall 1.0.0/2.0.0 Order Payment OrderController.java orderService.payOrder erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|