🔥 🎉newbee-mall-plus 项目是 newbee-mall 项目的升级版本,增加了优惠券模块、商品秒杀模块、支付宝支付,优化了搜索功能,后续会继续增加功能模块以及流行的技术栈。
Home Page: http://121.4.124.33:9001
License: GNU General Public License v3.0
Recently, our team found an arbitrary coupon obtain vulnerability in the latest version of the project.
The vulnerability logic is present in the file:https://github.com/newbee-ltd/newbee-mall-plus/blob/main/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallCouponServiceImpl.java#92.
The operation ltd.newbee.mall.dao.NewBeeMallCouponMapper.selectByPrimaryKey() is not protected by permission checks,
while the request of path is also unauthorized, which means an attacker can achieve arbitrary coupon obtain.
To address this vulnerability, we strongly advise that developers implement access control policies that limit API access to admin users or the owner.
Recently, our team found an arbitrary coupon obtain vulnerability in the latest version of the project.
The vulnerability logic is present in the file:https://github.com/newbee-ltd/newbee-mall-plus/blob/main/src/main/java/ltd/newbee/mall/controller/mall/CouponController.java#57.
The operation ltd.newbee.mall.dao.NewBeeMallCouponMapper.reduceCouponTotal() is not protected by permission checks,
while the request of path is also unauthorized, which means an attacker can achieve arbitrary coupon obtain.
To address this vulnerability, we strongly advise that developers implement access control policies that limit API access to admin users or the owner.
Recently, our team found an arbitrary coupon usage vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L199.
The developer failed to check the ownership of the couponUserId with the access user when updating the coupon status via newBeeMallUserCouponRecordMapper.updateByPrimaryKeySelective(), leading to the usage of arbitrary coupon via craft request to /saveOrder (i.e., https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L83),
We recommend that developers add the access control policy to ensure that the owner of the coupon is the current accessor.
看到小册里面没有秒杀相关的内容
好奇的问下,在源代码保护方面,软件著作权和GPLv3是不是有点矛盾?
GPL基本上鼓励代码被商业使用,条件是保留原作者署名。 但软件著作权是不是有保护源代码不被使用?
我如何理解加了软件著作权的GPLv3 协议?
最近刚刚关注这个项目,然后知道慕课网的事情,当然我不关心慕课网。我只是好奇,这个商场还能否依照GPLv3的约定,商用?
在后台登录页面,验证码必须输入小写才能通过,否则会报错。
建议作者加一下把输入的验证码改为小写的逻辑。
Caused by: com.mysql.cj.exceptions.UnableToConnectException: Public Key Retrieval is not allowed
Caused by: java.sql.SQLNonTransientConnectionException: Could not create connection to database server.
Caused by: org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is java.sql.SQLNonTransientConnectionException: Could not create connection to database server.
Recently, our team discovered a file upload vulnerability in the latest version of the project.
[Suggested description]
A file upload vulnerability exists in newbee plus mall. Because the upload method of uploadcontroller can bypass the upload restriction by adding malicious content to real images.
[Vulnerability Type]
File upload vulnerability
[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall-plus
[Affected Product Code Base]
V2.4.1
[Affected Component]
`POST /admin/upload/file HTTP/1.1
Host: localhost:28079
User-Agent: Mozilla/5.0 (Android 11; Mobile; rv:83.0) Gecko/83.0 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1137582032273165729786442929
Content-Length: 292
Origin: http://localhost:28079
Connection: close
Referer: http://localhost:28079/admin/goods/edit
Cookie: SESSION=YWZlMDUxNjMtYWMxNy00MTg1LWI0YTMtYjhjMWFlZmZjNmIy
Upgrade-Insecure-Requests: 1
-----------------------------1137582032273165729786442929
Content-Disposition: form-data; name="file"; filename="spacer.html"
Content-Type: image/gif
GIF89a���!ù��,����D�;
<script>alert("xss")</script>-----------------------------1137582032273165729786442929--`
[Impact Code execution]
true
[Vulnerability proof]
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.
2.Open burpsuite packet capturing agent and click to upload pictures.
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by adding malicious content to real images.
4.Modify the value of filename to spacer.html
Get the access path to file upload success:
5.Access the upload file path, and the vulnerability reproduction is completed.
httpSession.setAttribute(Constants.MALL_VERIFY_CODE_KEY, null);
String loginResult = newBeeMallUserService.login(loginName, MD5Util.MD5Encode(password, Constants.UTF_ENCODING), httpSession);
//登录成功
if (ServiceResultEnum.SUCCESS.getResult().equals(loginResult)) {
//删除session中的verifyCode
httpSession.removeAttribute(Constants.MALL_VERIFY_CODE_KEY);
return ResultGenerator.genSuccessResult();
}
//登录失败
return ResultGenerator.genFailResult(loginResult);控制层如上代码,不管用户登陆是否成功,都将session中的验证码置为null;
导致用户如果不主动刷新验证码,就会登陆失败,后端一直获取到null的验证码
SQL injection exists in newbee mall, est="sortField!" on order page = null and order!= null">
order by ${sortField} ${order} is not precompiled, allowing logged-in user attackers to steal sensitive information such as databases by constructing malicious sql statements.
newbee-mall-plus-main\src\main\resources\mapper\NewBeeMallOrderMapper.xml
Payload: _search=false&nd=1693539277711&limit=20&page=111&sidx=createTime&order=desc,(SELECT (CASE WHEN (1153=1153) THEN 1 ELSE 1153*(SELECT 1153 FROM INFORMATION_SCHEMA.PLUGINS) END))&totalrows=
Recently, our team found an arbitrary coupon usage vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall-plus/blob/main/src/main/java/ltd/newbee/mall/controller/mall/CouponController.java#L67
Unauthorized access to the @DeleteMapping("coupon/{couponUserId}") API enables attackers to manipulate the query param couponUserId and delete coupons belonging to other users.
To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the owner are authorized to perform the delete operation.
Recently, our team found an arbitrary order detail access vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L193.
Since attacker can control the path variables orderNo and userId via a crafted request, the ownership check before querying orders by newBeeMallOrderItemMapper.selectByOrderId() (i.e., https://github.com/newbee-ltd/newbee-mall-plus/blob/main/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L347) is useless, causing any order can be traversed by attacker to get details.
We recommend that developers add the access control policy before calling newBeeMallOrderService.getOrderDetailByOrderNo() to ensure that the accessor is admin user or the owner of the order.
Hello,请教下秒杀方面的一些问题,谢谢!
如果商用没有问题了,有没有快速搭建的文档?简单看了下那个69元文档的目录,感觉说的不是一回事儿。
简单了解下,newbee大概由 后端newbee-mall-api, 和两个前端newbee-mall-vue3-app 和 vue3-admin组成。
能否有文档可以让不太熟悉的同学快速搭建起来,商用也好,学习也罢。
当然付费是能接受的。 这样是不是可以让项目推广的更快一点?毕竟除了code本身,还需要一些系统依赖,例如redis、myql 诸如此类的。
使用容器部署plus版,获取验证码图片失败,直接在linux主机部署是可以正常获取到验证码的,请问一下这个可以怎么处理呢?,获取图片时抓包没有报错,但是没生成验证码图片
Recently, our team found a vulnerability causing the free payment of orders in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L444.
The developer failed to check the privilege of the accessor when updating the order status via newBeeMallOrderMapper.updateByPrimaryKeySelective(), while the request of path /paySuccess is also unauthorized (i.e., https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L207), which means an attacker can change the pay status of the order to achieve free payment.
We recommend that developers add access control policies to restrict the changement of order status, especially pay status.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.