EverShop GraphQL API Insecure Direct Object Reference Vulnerability

A vulnerability allowing unauthorized access to sensitive order information has been identified in EverShop versions through 2.0.1. This Insecure Direct Object Reference (IDOR) vulnerability exists in the Order Handler component, specifically within the GraphQL query resolver for orders. The issue arises because the resolver accepts an order UUID without proper authentication or authorization checks, allowing any unauthenticated user to access detailed order information, including personal customer data, shipping and billing addresses, and purchase history.

Impact

Exploitation of this vulnerability leads to unauthorized access to complete order details, including sensitive customer personally identifiable information (PII) such as names, email addresses, phone numbers, and full shipping and billing addresses. Additionally, the vulnerability allows access to order totals, payment statuses, detailed product lists with prices, and shipping and tracking information.

Reproduction

To reproduce this vulnerability, first obtain a valid order UUID. This can be done through various methods such as email order confirmation links, predictable order numbering, information disclosure from error messages, social engineering, or brute forcing UUIDs that are generated based on time. Once a UUID is obtained, execute an unauthenticated GraphQL query to the '/api/graphql' endpoint, including the UUID in the request. The response will contain the sensitive order information.

Remediation

Users are advised to implement authentication and authorization checks in the order query resolver. For guest checkout scenarios, a secure token mechanism can be introduced to validate access to order information.