MacCMS Authorization Bypass Vulnerability in Member Order Detail Interface

An authorization bypass vulnerability has been identified in MacCMS versions through 2025.1000.4052. The issue resides in the order detail API within the member center, specifically in the 'order_info' function of 'application/index/controller/User.php'. This vulnerability allows authenticated users to access other users' order details by manipulating the 'order_id' parameter. The API fails to verify ownership, enabling access to sensitive information such as order codes, prices, remarks, and user identifiers.

Impact

Exploitation of this vulnerability allows authenticated users to bypass authorization and access order details belonging to other users. This includes sensitive information such as order amounts, order codes, and order remarks. If the remarks field contains payment or processing information, it could be used for social engineering or business abuse.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and send a request to the 'order_info' endpoint with an 'order_id' that belongs to another user. The API will return the order details without any authorization checks, demonstrating the missing object-level authorization.

Remediation

It is recommended to add ownership checks in the 'order_info' query to ensure that users can only access their own orders. Additionally, object-level authorization checks should be applied to all member APIs that retrieve resources by primary key.