Macrozheng Mall Improper Authorization Vulnerability in Member Endpoint Allowing Privilege Escalation

A vulnerability exists in Macrozheng Mall versions through 1.0.3, specifically within the Member Endpoint file '/member/address/update/'. This issue arises from improper authorization, allowing remote exploitation. The vulnerability enables attackers to manipulate address ownership by overwriting 'memberId' fields, transferring addresses to different accounts.

Impact

Exploitation of this vulnerability allows for lateral writes, where an attacker can transfer their address record to another account, causing confusion over ownership and potential business risks, such as mixing up shipping addresses for orders. Additionally, the victim's account becomes polluted with data not created by them, disrupting normal processes like ordering and delivery. The absence of audit logs for such changes further complicates accountability and forensic investigations.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to '/member/address/update/{id}' with a payload that includes a 'memberId' value corresponding to a different user. The absence of server-side checks allows the 'memberId' to be changed to any user, effectively transferring the address record to another account. This lateral overwrite can be verified by checking the address under the victim's account or querying the database for the updated 'memberId'.

Remediation

To address this vulnerability, implement server-side validation to block unauthorized updates to the 'memberId' field. Ensure that the 'memberId' is treated as immutable and not accepted from client requests. Consider using a dedicated Data Transfer Object (DTO) for updates that excludes the 'memberId' to prevent it from being deserialized into the entity. Additionally, establish audit logging for address modifications to track changes and maintain accountability.