mall
mall copied to clipboard
[security vulnerability] Arbitrary Order Detail Access Vulnerability
Recently, our team found an arbitrary order detail access vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/macrozheng/mall/blob/master/mall-portal/src/main/java/com/macro/mall/portal/service/impl/OmsPortalOrderServiceImpl.java#L390
![image](https://user-images.githubusercontent.com/131662463/234025985-4df484e7-4525-400f-bfa4-a860107e2185.png)
The developer failed to check the ownership of the orderId
with the access user when querying the order details via orderMapper.selectByPrimaryKey()
, leading to any order can be traversed by detail/{id}
to get details (i.e., https://github.com/macrozheng/mall/blob/master/mall-admin/src/main/java/com/macro/mall/controller/OmsOrderController.java#L75), leaking user privacy data (e.g., address, phone number, etc.)
![image](https://user-images.githubusercontent.com/131662463/234026232-4b08b282-e34a-4f93-8bd3-79f29fe6dbdd.png)
We recommend that developers add the access control policy before querying via orderId
to ensure that the accessor is the owner of the order.