[security vulnerability] Free Payment of Orders
GatekeeperBuster opened this issue · comments
Recently, our team found a vulnerability causing the free payment of orders in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall/blob/master/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L375.
The developer failed to check the privilege of the accessor when updating the order status via newBeeMallOrderMapper.updateByPrimaryKeySelective()
, while the request of path /paySuccess
is also unauthorized (i.e., https://github.com/newbee-ltd/newbee-mall/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L149 ), which means an attacker can change the pay status of the order to achieve free payment.
We recommend that developers add access control policies to restrict the changement of order status, especially pay status.