Youlaitech Youlai-Mall Improper Access Control Vulnerability in Order Payment Handling

A vulnerability exists in Youlaitech Youlai-Mall versions 1.0.0 and 2.0.0, specifically within the order payment processing function of the OrderController. This vulnerability allows for improper access control, enabling horizontal privilege escalation by manipulating the orderSn parameter. As a result, an unauthorized deduction can be made from another user's account balance. The issue can be exploited remotely, although it requires a valid application login token and knowledge of the target user's orderSn, which could be obtained through various means such as the user interface or application logs.

Impact

Exploitation of this vulnerability allows any logged-in user to pay for orders belonging to other users, using the victims' account balances. This not only causes financial loss to the affected users but also breaches account security by allowing unauthorized access to financial resources. The vulnerability could be exploited repeatedly if the orderSn values are predictable, potentially leading to significant financial damage across multiple accounts.

Reproduction

To reproduce this vulnerability, log in as a user (User A) and obtain a valid authentication token. Then, identify a target user's (User B) orderSn that is in an UNPAID status. With User A's token, send a POST request to the order payment endpoint, including User B's orderSn and the payment method set to BALANCE. The response will confirm the payment was processed, deducting funds from User B's account without any ownership verification.