| 제목 | youlai-mall latest Improper Control of Resource Identifiers |
|---|
| 설명 | 1. youlai-mall improper access control on App order payment enables horizontal privilege escalation via orderSn , allowing unauthorized deduction from another user’s balance.
2. Vulnerability Location
orderSn: POST /mall-oms/app-api/v1/orders/payment
3. Code Analysis
Controller: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java
@PostMapping("/payment") → orderService.payOrder(paymentForm)
Service: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/app/impl/OrderServiceImpl.java
payOrder(OrderPaymentForm) : loads order by orderSn , checks only UNPAID , no ownership check ( order.getMemberId() == SecurityUtils.getMemberId() missing).
Balance path: balancePay(order) deducts the order owner’s balance:
Long memberId = order.getMemberId();
memberFeignClient.deductBalance(memberId, order.getPaymentAmount());
Then deducts stock and updates order status to PAID .
WeChat path: wxJsapiPay(appId, orderSn, paymentAmount) uses the current user’s openid (via SecurityUtils.getMemberId() ), still without verifying that the payer owns the order.
|
|---|
| 원천 | ⚠️ https://github.com/Hwwg/cve/issues/24 |
|---|
| 사용자 | huangweigang (UID 88993) |
|---|
| 제출 | 2025. 12. 07. AM 07:01 (6 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 25. AM 10:50 (18 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 338412 [youlaitech youlai-mall 1.0.0/2.0.0 Order Payment OrderController.java orderService.payOrder 권한 상승] |
|---|
| 포인트들 | 20 |
|---|