Zhong Bang CRMEB Improper Authorization Vulnerability in Order Detail API

A vulnerability allowing improper authorization has been identified in Zhong Bang CRMEB versions through 5.6.3. This issue affects the order detail API, specifically the function 'detail/tidyOrder' within the file '/api/store_integral/order/detail/:uni'. The vulnerability arises from the lack of authorization checks when accessing order details, allowing any logged-in user to view sensitive information such as the recipient's name, phone number, and address for any other user's order. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive user information, including personal details and order data, which could be misused for privacy invasion, social engineering attacks, or competitive analysis.

Reproduction

To reproduce this vulnerability, log into the application as a user with a UID that is not the owner of the order. Then, send a GET request to the order detail API with an order ID belonging to a different user. The response will include the sensitive order details, demonstrating the improper authorization flaw.

Remediation

It is recommended to implement UID verification in the order detail controller to ensure that users can only access their own order information. Additionally, a thorough code review and security training for developers on access control best practices are advised.