BUG_Author: Noel Affected Version: Litemall ≤ 1.8.0 Vendor: https://github.com/linlinjava/litemall
Software: https://github.com/linlinjava/litemall
Vulnerability Files:
org/linlinjava/litemall/wx/web/WxCommentController.java:90Requirements
Litemall is an e-commerce application built with Spring-boot. In the current open source version, there is a Mass Assignment Vulnerability int the /wx/comment/post endpoint. This endpoint allows attackers to set the adminContent field, enabling them to forge administrator comments, which could potentially lead to social engineering attacks such as misleading users, publishing fake promotions/scams, and spreading malicious links and viruses.
Build the docker environment based on this document)
cd litemall
cat ./litemall-db/sql/litemall_schema.sql > ./docker/db/init-sql/litemall.sql
cat ./litemall-db/sql/litemall_table.sql >> ./docker/db/init-sql/litemall.sql
cat ./litemall-db/sql/litemall_data.sql >> ./docker/db/init-sql/litemall.sql
mvn clean package
cp -f ./litemall-all/target/litemall-all-*-exec.jar ./docker/litemall/litemall.jar
cd docker
docker-compose up -d --build
we can login to the system using default account/passwd : user123/user123
from the client code, there is no adminComment field setted when post a comment by user: https://github.com/linlinjava/litemall/blob/c2861385afa6920c68c1c448f0777f5a25d90fae/renard-wx/pages/commentPost/commentPost.js#L130
So we can use burp suite to intercept the request and add an adminContent field: