XiaozhangBang Voluntary Like System Discount Manipulation Vulnerability

A vulnerability exists in XiaozhangBang Voluntary Like System version 8.8, allowing remote attackers to exploit the voting payment module by manipulating the 'zhekou' parameter to receive unauthorized discounts. This exploitation enables attackers to purchase votes at a significantly reduced price. Additionally, by altering the 'zid' parameter, attackers can affect vote purchases for other users, exacerbating the issue. The vulnerability arises from inadequate server-side validation of these parameters, potentially causing financial loss and unfair vote manipulation.

Impact

Exploitation of this vulnerability can lead to substantial financial losses due to unauthorized discounts, as well as an integrity violation by allowing unfair manipulation of vote counts for the attacker and other users.

Reproduction

To reproduce this vulnerability, send a POST request to '/topfirst.php' in the Pay module, including a crafted 'zhekou' parameter set to an unusually low value. This will apply an unauthorized discount on the purchase. Additionally, modify the 'zid' parameter to influence vote purchases for other users. Once the payment is processed through the WeChat Pay integration, the system will confirm the transaction and credit the purchased votes at the manipulated price.

Remediation

Implement strict server-side access controls for all pricing and discount parameters, ensuring that client-supplied values are not trusted for transaction calculations.