Sanluan PublicCMS Insecure Direct Object Reference Vulnerability in Trade Address Deletion Endpoint

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in Sanluan PublicCMS versions through 5.202506.d. The issue is located in the Trade Address Deletion Endpoint, specifically within the delete function of the TradeAddressController. This vulnerability allows authenticated users to delete shipping addresses belonging to other users by manipulating the IDs of the addresses being deleted. The deletion process lacks proper authorization checks, as the application does not verify whether the user requesting the deletion actually owns the addresses. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of trade addresses, leading to permanent data loss and disruption of services that rely on this information. Victims may experience interrupted deliveries and a degraded user experience, having to re-enter shipping details manually.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/tradeAddress/delete.html' endpoint, including a manipulated array of address IDs in the request body. The server will process the deletion without verifying ownership, resulting in the unauthorized removal of addresses.

Remediation

It is recommended to implement ownership verification checks in the TradeAddressController's delete method, ensuring that users can only delete addresses they own. Additionally, updating the TradeAddressService to include ownership validation before deletion can further secure the functionality.