Zhong Bang CRMEB Missing Authorization Vulnerability in Crontab Endpoint

A missing authorization vulnerability has been identified in Zhong Bang CRMEB versions through 5.6.3. This issue resides in the crontab endpoint, specifically within the CrontabController.php file. The vulnerability allows remote access to cron job-related endpoints without authentication, leading to unauthorized actions such as cancelling orders and disrupting the distribution system.

Impact

Exploitation of this vulnerability can cause unauthorized order cancellations, forced delivery confirmations, and disruptions in the distribution system, including unbinding of agent relationships.

Reproduction

The vulnerability can be reproduced by sending a GET request to any of the affected crontab endpoints without authentication. This can be done using a tool like curl. For example, to cancel unpaid orders, the endpoint '/api/crontab/order_cancel' can be invoked directly without any authentication token.

Remediation

To address this vulnerability, it is recommended to remove the false parameter in the route configuration that makes authentication optional. Additionally, an IP whitelist middleware can be implemented to restrict access to cron job endpoints.