Youlaitech Youlai-Mall Improper Authorization Vulnerability in Order Payment Function

A vulnerability allowing improper authorization has been identified in Youlaitech Youlai-Mall versions 1.0.0 and 2.0.0. The issue arises in the 'submitOrderPayment' function within 'OrderController.java', where the 'orderSn' parameter is not properly validated. This lack of validation allows users to initiate payments for orders that do not belong to them, leading to unauthorized payment processing and potential financial fraud. The vulnerability can be exploited remotely, and although a public exploit is available, there are doubts about the vulnerability's existence.

Impact

Exploitation of this vulnerability allows any authenticated user to initiate payments for arbitrary orders, bypassing ownership checks and causing potential financial loss and confusion. This could lead to unauthorized claims of goods, duplicate payments, and disruptions in payment processing, especially when combined with order enumeration or creation.

Reproduction

To reproduce this vulnerability, log in as a user and obtain a valid token. Then, send a POST request to '/mall-oms/app-api/v1/orders/payment' with a known 'orderSn' from another user. The response will include payment details, indicating that the payment was successfully processed without authorization.