Unauthorized Access to Transaction Details (by @RedHuntLabs)

[sampritdas8]

Hi @PanJiaChen ,
I'm Samprit Das from @redhuntlabs. I’ve identified a critical vulnerability in your application. Kindly review the attached report and address the issue at your earliest convenience.

Title: Unauthorized Access to Transaction Details

Observation: During testing it has been observed that the application allows unauthorized users to access transaction details and see routes. When we remove the session token from the cookie header then any user is able to access the transaction information and route details.

Severity: Critical (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Resources Affected:
http://192.168.1.9:9527/dev-api/transaction/list
http://192.168.1.9:9527/dev-api/routes

Affected code:
https://github.com/PanJiaChen/vue-element-admin/blob/master/mock/remote-search.js#L33
https://github.com/PanJiaChen/vue-element-admin/blob/master/src/api/role.js#L5

Technical Impact: The lack of proper session validation allows unauthorized access, leading to broken access control and potential data leakage of sensitive transaction details.

Business Impact: This vulnerability can result in privacy violations, loss of customer trust, and potential legal or regulatory consequences, especially if financial data is exposed.

Steps to reproduce:

1. Login from the admin account and capture the request for the following endpoint in BurpSuite.
   • http://192.168.40.130:9527/dev-api/transaction/list and send it to the repeater.
     
2. Now remove the cookie and access token header from the request and observe the response.
   
3. Now change the endpoint to /dev-api/routes and observe its response.
   

Remediation:
Implement strict session validation on the server side for every request. Ensure that access to sensitive endpoints like transaction details is restricted based on valid, authenticated session tokens. Additionally, enforce proper access control checks to verify user authorization before displaying any sensitive information.