| 标题 | youlai-mall latest Improper Control of Resource Identifiers |
|---|
| 描述 | 1. youlai-mall improper access control on App order payment enables horizontal privilege escalation via orderSn , allowing unauthorized deduction from another user’s balance.
2. Vulnerability Location
orderSn: POST /mall-oms/app-api/v1/orders/payment
3. Code Analysis
Controller: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java
@PostMapping("/payment") → orderService.payOrder(paymentForm)
Service: mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/app/impl/OrderServiceImpl.java
payOrder(OrderPaymentForm) : loads order by orderSn , checks only UNPAID , no ownership check ( order.getMemberId() == SecurityUtils.getMemberId() missing).
Balance path: balancePay(order) deducts the order owner’s balance:
Long memberId = order.getMemberId();
memberFeignClient.deductBalance(memberId, order.getPaymentAmount());
Then deducts stock and updates order status to PAID .
WeChat path: wxJsapiPay(appId, orderSn, paymentAmount) uses the current user’s openid (via SecurityUtils.getMemberId() ), still without verifying that the payer owns the order.
|
|---|
| 来源 | ⚠️ https://github.com/Hwwg/cve/issues/24 |
|---|
| 用户 | huangweigang (UID 88993) |
|---|
| 提交 | 2025-12-07 07時01分 (6 月前) |
|---|
| 管理 | 2025-12-25 10時50分 (18 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 338412 [youlaitech youlai-mall 1.0.0/2.0.0 Order Payment OrderController.java orderService.payOrder 权限提升] |
|---|
| 积分 | 20 |
|---|