Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant

Summary

The shared wishlist add-to-cart endpoint authorizes access with a public sharing_code, but loads the acted-on wishlist item by a separate global wishlist_item_id and never verifies that the item belongs to the shared wishlist referenced by that code.

This lets an attacker use:

• a valid shared wishlist code for wishlist A
• a wishlist item ID belonging to victim wishlist B

to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A.

Because the victim item's stored buyRequest is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound.

Vulnerability Type

• Broken object-level authorization / IDOR
• Cross-user data disclosure
• Cross-user file disclosure variant

Root Cause

In app/code/core/Mage/Wishlist/controllers/SharedController.php, the shared flow does:

$item = Mage::getModel('wishlist/item')->load($itemId);
$wishlist = Mage::getModel('wishlist/wishlist')->loadByCode($code);
...
$item->addToCart($cart);

Relevant lines:

• SharedController.php:86 loads the wishlist item by global ID
• SharedController.php:87 loads the wishlist by shared code
• SharedController.php:99 imports the item into cart

There is no check that:

$item->getWishlistId() == $wishlist->getId()

The safe owner flow in app/code/core/Mage/Wishlist/controllers/IndexController.php:521-528 does preserve this binding by deriving the wishlist from item->getWishlistId().

The imported item keeps its original buyRequest because app/code/core/Mage/Wishlist/Model/Item.php:370-372 passes that stored request directly into:

$cart->addProduct($product, $buyRequest);

Security Impact

Baseline impact

An attacker can import another user's private wishlist item into the attacker's own cart, using an unrelated shared wishlist code.

This is a clear cross-user authorization bypass. The victim item's private configuration is copied into the attacker's quote, including custom-option values such as personalized text.

Stronger variant: cross-user file disclosure

If the victim item contains a custom option of type file, the imported quote item preserves file metadata such as:

• quote_path
• order_path
• secret_key

The file option renderer in app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php:547-552 generates a download URL from:

• the imported sales/quote_item_option ID
• the preserved secret_key

The downloader in app/code/core/Mage/Sales/controllers/DownloadController.php:150-185:

• loads quote item option by global ID
• verifies only product option type and secret_key
• reads the file from order_path or quote_path

It does not verify ownership of the quote item, order, or original wishlist item. This creates a cross-user file disclosure path once victim file metadata has been imported.

Steps To Reproduce

Lab data

• shared wishlist A:
  • wishlist_id = 1
  • customer_id = 2
  • sharing_code = 6376bb8c37a09c2de3664bd8cdc16412
• victim wishlist B:
  • wishlist_id = 2
  • customer_id = 3
• victim item:
  • wishlist_item_id = 1
  • wishlist_id = 2
  • product_id = 2
• victim private text option marker:
  • VICTIM-MARKER-49040822

Reproduction

Send:

GET /wishlist/shared/cart/?code=6376bb8c37a09c2de3664bd8cdc16412&item=1

Where:

• code belongs to shared wishlist A
• item=1 belongs to victim wishlist B

Expected result

The request should be rejected because the item does not belong to the shared wishlist referenced by the sharing_code.

Actual result

The application imports victim item 1 into the attacker's quote anyway.

Verified Evidence

Baseline variant

Previously verified at quote/option level in lab:

option_1 = VICTIM-MARKER-49040822

This shows that the attacker's cart received victim-private custom-option data from another user's wishlist item.

File-disclosure variant

Previously verified in lab after importing a victim file-option payload:

/sales/download/downloadCustomOption/id/9/key/86fca9b61c0b891b52fb/

This URL was generated from imported quote item option data containing the victim file metadata and secret key.

Why This Is A Valid Bug

This is not a timing issue and does not depend on non-default security settings.

The bug is a direct authorization failure:

• authorization is based on wishlist A's share code
• the acted-on object is item B from another wishlist
• there is no item-to-wishlist binding check
• victim-controlled item state is then copied into attacker-controlled cart state

That is a broken object-level authorization issue with clear cross-user impact.

Remediation

In SharedController::cartAction(), reject any request where the loaded item does not belong to the wishlist loaded from the share code:

$item = Mage::getModel('wishlist/item')->load($itemId);
$wishlist = Mage::getModel('wishlist/wishlist')->loadByCode($code);

if (!$item->getId() || !$wishlist->getId() || (int) $item->getWishlistId() !== (int) $wishlist->getId()) {
    return $this->_forward('noRoute');
}

Defense in depth:

• bind sales/download/downloadCustomOption to the current quote/order owner instead of trusting only id + secret_key