Youlaitech Youlai-Mall Improper Access Control Vulnerability Allowing Unauthorized Address Manipulation

An improper access control vulnerability has been identified in Youlaitech Youlai-Mall versions 1.0.0 and 2.0.0. The issue resides in the addresses API endpoint, specifically within the functions getById, updateAddress, and deleteAddress. This vulnerability allows authenticated users to access, modify, or delete address information belonging to other users, leading to unauthorized manipulation of personal data. The flaw arises from a lack of proper validation to ensure that users can only interact with their own address data. Exploitation of this vulnerability can be done remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for horizontal privilege escalation, where an authenticated user can access, modify, or delete another user's address details. This not only breaches privacy by disclosing sensitive personal information but also disrupts data integrity by allowing unauthorized changes to be made. In cases where address IDs are predictable or enumerable, the vulnerability could be exploited across the entire user base, amplifying its impact.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and obtain a valid authorization token. For the getById function, send a GET request to the addresses endpoint with an address ID that belongs to a different user, using your authorization token. The response will include the address details of the other user, demonstrating unauthorized access. For the updateAddress function, intercept a PUT request to the addresses endpoint, modify the address ID to one that belongs to another user, and change the address details in the request body. Send the modified request using your authorization token. The response will confirm the update, showing that another user's address has been altered without permission. To exploit the deleteAddress function, send a DELETE request to the addresses endpoint with an address ID that belongs to a different user, again using your authorization token. This will result in the unauthorized deletion of the other user's address.