Youlaitech Youlai-Mall Improper Authorization Vulnerability in Balance Deduction Function

A vulnerability exists in Youlaitech Youlai-Mall versions 1.0.0 and 2.0.0, specifically within the Balance Handler component. The issue arises in the 'deductBalance' function of the MemberController.java file, where the application fails to properly validate authorization for deducting balances. This flaw allows any authenticated user to manipulate the balance of arbitrary members by exploiting the PUT '/mall-ums/app-api/v1/members/{memberId}/balances/_deduct' endpoint. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to unauthorized deductions of user balances, causing financial loss to victims. The flaw allows for horizontal privilege escalation, as the 'memberId' parameter is not validated against the authenticated user's identity, enabling cross-account balance manipulations. This vulnerability also bypasses normal business logic, as balance deductions should occur through established processes like order payments or refunds.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and obtain a valid token. Then, use the PUT '/mall-ums/app-api/v1/members/{memberId}/balances/_deduct' endpoint, replacing '{memberId}' with that of a victim user. Include the amount to be deducted as a parameter. The request will succeed without any authorization checks, allowing the attacker to deduct funds from the victim's account.