| タイトル | youlai-mall latest Improper Control of Resource Identifiers |
|---|
| 説明 | 1. youlai-mall improper access control on App order payment enables horizontal privilege escalation via orderSn , allowing unauthorized deduction from another user’s balance.
2. Vulnerability Location
orderSn: POST /mall-oms/app-api/v1/orders/payment
3. Code Analysis
Controller: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java
@PostMapping("/payment") → orderService.payOrder(paymentForm)
Service: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/app/impl/OrderServiceImpl.java
payOrder(OrderPaymentForm) : loads order by orderSn , checks only UNPAID , no ownership check ( order.getMemberId() == SecurityUtils.getMemberId() missing).
Balance path: balancePay(order) deducts the order owner’s balance:
Long memberId = order.getMemberId();
memberFeignClient.deductBalance(memberId, order.getPaymentAmount());
Then deducts stock and updates order status to PAID .
WeChat path: wxJsapiPay(appId, orderSn, paymentAmount) uses the current user’s openid (via SecurityUtils.getMemberId() ), still without verifying that the payer owns the order.
|
|---|
| ソース | ⚠️ https://github.com/Hwwg/cve/issues/24 |
|---|
| ユーザー | huangweigang (UID 88993) |
|---|
| 送信 | 2025年12月07日 07:01 (6 月 ago) |
|---|
| モデレーション | 2025年12月25日 10:50 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 338412 [youlaitech youlai-mall 1.0.0/2.0.0 Order Payment OrderController.java orderService.payOrder 特権昇格] |
|---|
| ポイント | 20 |
|---|