Newbee Mall Improper Authorization Vulnerability in Order Status Handler

A critical payment vulnerability has been identified in Newbee Mall versions prior to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. The issue resides in the Order Status Handler component, specifically within the paySuccess function of the /paySuccess endpoint. This vulnerability allows for improper authorization, as the endpoint directly updates order statuses based on the order ID provided in the request. Attackers can exploit this by sending crafted requests to mark orders as paid, without proper authorization checks. Additionally, this vulnerability enables horizontal privilege escalation, allowing users to modify the payment statuses of other users' orders, potentially disrupting the entire transaction system.

Impact

Exploitation of this vulnerability allows for zero-cost purchases by arbitrarily marking orders as paid. It also enables horizontal privilege escalation, where an attacker can alter the order statuses of other users, leading to a complete breakdown of the transaction system.

Reproduction

To reproduce this vulnerability, log in with a normal user account and send a crafted request to the /paySuccess endpoint, including another user's order ID in the orderNo parameter. The absence of authorization checks will allow the request to be processed, updating the targeted order's status to 'paid'.

Remediation

The payment process should be handled exclusively through trusted third-party payment provider callbacks, such as WeChat Pay or Alipay. The system must not depend on parameters sent directly from the client.