รายละเอียด

The merbide003/v1/listSubmitConsider endpoint allows any authenticated merchant to retrieve bid consideration data for any other company by supplying a foreign bidderId in the request body. The server does not validate that the requesting user owns the bidderId. During active bidding windows, minPrice/maxPrice range is visible (e.g., 1,040,000-1,560,000). After envelope opening, the full priceProposal, contractDay, and all consideration items are returned. Tested on active project 69019546333 where SUBSIRI9 (non-bidder) retrieved data for both 123CON9 and 789RICHY.

ผลกระทบ

Competitor bid prices, contract days, min/max price range visible before envelope opening. Full price disclosure after opening. Enables bid rigging.

แนวทางแก้ไข

Validate that the bidderId belongs to the authenticated user's merchant account. Cross-check JWT sub against bidderId ownership in the database before returning data.

รายละเอียด

The merbide002 service exposes two endpoints (listDocSubmitPart1 for registration documents and listFileDocSubmitPart2 for guarantee documents) that return document listings for any bidderId. Combined with the upload service apiKey-only auth (UPL1), an attacker can enumerate all competitor documents and download them. Tested: 5 document categories returned including company registration, director certificates, shareholder lists, guarantees, and SME certificates.

ผลกระทบ

Full competitor document inventory: registration certificates, director lists, shareholder information, financial guarantees, SME certificates. Combined with UPL1 enables direct file download.

แนวทางแก้ไข

Enforce ownership validation on bidderId. Only return documents belonging to the requesting merchant's own bids.

รายละเอียด

The merbide004/v1/infoBidderTemplateData endpoint returns the full bid template including OTP reference code (e.g., 'aZbq' — verified 100% match), blockchain txId, exact quotation timestamp, priceStatus, document guarantee percentage (5.00%), and price validity days (30). The OTP reference is particularly dangerous as it could be combined with OTP brute-force (B3) to hijack the bid confirmation process. Tested on project 69019546333 retrieving 123CON9's data using SUBSIRI9's forged credentials.

ผลกระทบ

OTP reference code leak enables bid confirmation hijack when combined with OTP brute-force. Blockchain txId, exact bid timestamp, and price status expose full bidding behavior of competitors.

แนวทางแก้ไข

Restrict infoBidderTemplateData to return only the requesting merchant's own data. OTP reference codes must never be exposed to other parties.

รายละเอียด

The egp-upload-service/v1/remFile endpoint accepts a fileId parameter and deletes the corresponding file. Authentication is via the same hardcoded apiKey used for download (e2cCQW3mOnJQ4HIXKbNx3nUCmoAHPlBP). There is no ownership validation — any file can be deleted. An attacker can enumerate competitor document fileIds via merbide002 IDOR, then delete critical registration documents to cause disqualification from the bidding process.

ผลกระทบ

Delete any competitor's bid documents (registration, guarantees, certificates) causing automatic disqualification. Integrity attack on the entire procurement process. Irreversible without backup.

แนวทางแก้ไข

Remove the hardcoded apiKey authentication. Implement JWT-based auth with ownership validation. Only file owners should be able to delete their files.

รายละเอียด

The merbide005/v1/infoMerbide005 endpoint performs a WRITE operation when called with a competitor's projectId, bidderId, and quotationId. Server responds with I1902: "บันทึกข้อมูลเรียบร้อยแล้ว" (Saved successfully). Tested with SUBSIRI9 (non-bidder) writing to 123CON9's bid on active project 69019546333. The usingGgAuth field was set to '0'. This represents a critical bid integrity compromise where an unauthorized party can modify competitor bid records.

ผลกระทบ

Unauthorized write to competitor bid records during active bidding. Potential bid data corruption. Server confirmed successful write operation on a live procurement project.

แนวทางแก้ไข

Enforce strict ownership check: only the bid owner (matched via JWT sub and bidderId) should be allowed to write. Add transaction logging and integrity verification.

รายละเอียด

HashiCorp Vault Transit engine key1 (AES-256-ECB, used as the first layer of e-GP's 2-layer encryption) has exportable=true configured. Using a valid Vault token (obtained via expired JWT login — see AUTH2), all 2,258 key1 instances were exported. Key naming convention: key1_YYYYMMDD_AM/PM. These keys encrypt bidder price data (priceProposal, contractDay) before the second layer (key2 Vault Transit). With key1 exported, the first encryption layer is completely broken.

ผลกระทบ

All 2,258 AES-256 encryption keys for first-layer price encryption exported. Combined with KMS2 (key2 CVE bypass), enables full decryption of all bid prices across the entire e-GP system.

แนวทางแก้ไข

Set exportable=false on all Transit keys. Rotate all compromised keys. Implement per-project or per-user key isolation instead of shared daily keys.

รายละเอียด

Vault 1.11.3 is vulnerable to CVE-2023-4680 which allows specifying a nonce parameter in AES-GCM96 Transit encryption requests. By encrypting a known plaintext (zero bytes) with the same nonce as the target ciphertext, an XOR attack recovers the original plaintext. Successfully decrypted bid prices on 5 projects including LIVE bidding project 69019546333 during the 13:00-16:00 active window on 16 Feb 2026: 789RICHY=1,300,000 THB, 123CON=1,333,000 THB. Key2 naming: key2_YYYYMMDD_PM (shared, not per-project).

ผลกระทบ

Full real-time decryption of encrypted bid prices during active bidding. 5 projects confirmed decrypted. Attacker knows exact competitor prices before envelope opening, enabling precise bid manipulation.

แนวทางแก้ไข

Upgrade Vault to 1.14+ (patched for CVE-2023-4680). Disable nonce parameter acceptance in Transit encrypt API. Implement per-project key isolation.

รายละเอียด

Spring Boot Actuator /env endpoint is exposed on all 27 backend microservices. The F5 ASM WAF blocks the literal string 'actuator' but can be bypassed using URL encoding (%61ctuator where %61=a). This single vulnerability exposes: 27 DB2 database credentials in plaintext (22 unique users, 21 unique passwords), 3 DB2 database servers (egpcoredb, egpmsdb, egpalltemp), 210 Kubernetes services mapped (106 with internal IPs), ActiveMQ broker credentials, 277 inter-service URLs, and 2 plaintext API keys. Total data extracted: 9.0 MB.

ผลกระทบ

27 database credentials, 3 database servers, full Kubernetes infrastructure map, ActiveMQ broker access, 277 internal routing URLs. Complete infrastructure intelligence for lateral movement.

แนวทางแก้ไข

Disable Actuator endpoints in production or restrict to management port. Fix WAF rules to normalize URL encoding before pattern matching. Rotate all exposed database credentials immediately.

รายละเอียด

The egp-upload-service authenticates requests using only a hardcoded API key (e2cCQW3mOnJQ4HIXKbNx3nUCmoAHPlBP) embedded in the JavaScript frontend bundle. No JWT token, no session validation, no user-file ownership check. Any file can be downloaded by knowing its fileId. 570 fileIds harvested from API responses (299 format1 + 271 format2), 20/20 test downloads = 100% success rate. Files include PII: national ID copies, company registration certificates, financial statements, VAT certificates (Phor.Phor.20). Service is available 24/7 including weekends when other services are down.

ผลกระทบ

Download any government procurement document without authentication. PII exposure: national ID copies, company registrations, financial statements. 570+ known fileIds, 100% success rate. Available 24/7.

แนวทางแก้ไข

Replace hardcoded API key with JWT-based authentication. Implement file ownership validation — users should only access files related to their own bids. Remove API key from frontend JavaScript bundle.

รายละเอียด

14 API endpoints across merchant-ebidding (8 endpoints) and doc-examine (6 endpoints) services do not validate the JWT expiration (exp) claim. Expired JWT tokens continue to be accepted indefinitely. This means a single token capture provides permanent API access until the signing key is rotated. Normal JWT TTL is 4 hours but expired tokens work months later.

ผลกระทบ

Permanent API access from a single captured token. 14 endpoints affected across 2 critical services. Eliminates need for credential theft — one token capture is sufficient.

แนวทางแก้ไข

Enforce JWT exp validation on all endpoints. Implement token blacklisting for revoked tokens. Consider shorter TTL with refresh token rotation.

รายละเอียด

The HashiCorp Vault JWT authentication endpoint (/v1/auth/jwt/login) does not validate the JWT expiration claim. Submitting an expired JWT from a merchant account returns a valid Vault token with a 32-day TTL. This token grants access to Transit encryption/decryption operations and key export (see KMS1, KMS2). Vault roles: egpmerchant (confirmed), egpadmin (bound UUID unknown). Combined with AUTH1, a single captured JWT provides 32 days of Vault access.

ผลกระทบ

32-day Vault access from a single expired JWT. Enables key export (2,258 keys), CVE-2023-4680 nonce attack, and Transit operations. Critical escalation path from token capture to full encryption bypass.

แนวทางแก้ไข

Enable JWT exp validation in Vault auth configuration. Reduce Vault token TTL from 32 days to hours. Implement Vault token usage auditing.

รายละเอียด

The server decrypts the data-profile header/body using the AES key derived from JWT.sub, then uses the identity fields (merchant_tin, login_id, merchant_id) from the decrypted DataProfile WITHOUT cross-checking them against the JWT identity. An attacker can forge a DataProfile containing any merchant's TIN, encrypt it with their own JWT sub key, and the server accepts it. Tested: SUBSIRI9 JWT + forged DP with 789RICHY TIN = HTTP 200 on all tested endpoints (merbide001, merbide003, merbide005, merbide006, dexbidi001). This is the foundation of the entire IDOR attack chain.

ผลกระทบ

Complete identity spoofing. Any merchant can impersonate any other merchant. Foundation for all IDOR attacks — enables cross-company data access, document theft, and write operations on competitor bids.

แนวทางแก้ไข

Cross-validate JWT sub against DataProfile identity fields server-side. Bind merchant_tin to the JWT at token issuance and verify on every request. Consider signing the DataProfile with a server-side key.

รายละเอียด

The E1538 session validation (standBySession check) is bypassed when the dataProfile is sent in the POST request body instead of the HTTP header. For GET requests, the bypass requires data-profile header plus userId and branchNo query parameters. All password-grant JWTs are blocked by E1538, but browser OIDC flow JWTs (with nonce field) work on all endpoints. The delUserSession endpoint can also be used as a DoS attack to kill any user's active session instantly.

ผลกระทบ

Bypasses session validation entirely. Enables all API attacks without an active browser session. delUserSession enables DoS against any user.

แนวทางแก้ไข

Enforce session validation regardless of DataProfile delivery method (header or body). Implement rate limiting on delUserSession. Validate nonce field properly in OIDC JWTs.

รายละเอียด

The common/getBidder endpoint accepts submitTin and projectId parameters and returns the encrypted bidderId for any company. No ownership validation. This is the entry point for the entire IDOR attack chain — once a bidderId is obtained, it can be used in merbide001-006 endpoints. The bidderId is AES-ECB encrypted but can be re-encrypted with the attacker's key (see AUTH3).

ผลกระทบ

Enumerate bidderId for any company on any project. Entry point for all subsequent IDOR attacks. 16,676 bidder IDs harvested in mass scan.

แนวทางแก้ไข

Restrict getBidder to return only the requesting merchant's own bidderId. Remove submitTin parameter or validate against JWT identity.

รายละเอียด

The merbide003/v1/infoMerbide003 endpoint returns the authorized signer's full name (agencyFullName) and position (agencyPosition) for any bidderId. The DataProfile is sent in the request body. Tested on project 69019546333: returned signer name from the forged DataProfile identity.

ผลกระทบ

PII leak: authorized signer full name and position for any bidding company. Reveals corporate officer identity and role.

แนวทางแก้ไข

Validate bidderId ownership against JWT sub before returning signer details.

รายละเอียด

The merbide005/v1/infoQuotation endpoint returns exact quotation submission timestamp, quotationId, and blockchain txId for any bidderId on any project. Tested on project 69019546333 during active bidding: 123CON quotationDate=14:10:51, txId=1771225851768105866; 789RICHY quotationDate=14:13:09, txId=1771225989316341314 — both verified as 100% accurate.

ผลกระทบ

Exact bid submission time and blockchain transaction ID of competitors. txId can be used in blockchain oracle attacks (B1). Timing data reveals bidding strategy.

แนวทางแก้ไข

Restrict infoQuotation to only return the requesting merchant's own quotation data.

รายละเอียด

The merbide006 service (listProcurePrepare and related endpoints) accepts dataProfile in the request body (not header) using single base64 encoding. By forging a DP with the target merchant's TIN, an attacker retrieves the target's procurement preparation data. POC: 789RICHY JWT + forged DP with 123CON TIN returned 123CON's building construction data. merbide006 is available on weekends (unlike merbide001-004 which return 404).

ผลกระทบ

View competitor procurement preparation data including project descriptions, dates, and planning details. Available 24/7 including weekends.

แนวทางแก้ไข

Validate DataProfile identity against JWT sub regardless of delivery method. Apply same validation for body and header DataProfile.

รายละเอียด

The merbide012/v1/listExtendBidProject endpoint returns a paginated list of all bidding projects with extension dates. Over 7,350 projects were enumerated with project IDs, names, dates, and extension details. No ownership check — any authenticated merchant can retrieve the full list.

ผลกระทบ

Mass enumeration of 7,350+ procurement projects with dates and details. Enables targeted attacks on specific high-value projects.

แนวทางแก้ไข

Restrict project listing to only projects the requesting merchant is participating in.

รายละเอียด

The merbidp001/v1/showPdfQuotaion endpoint (note: typo 'Quotaion' is in the actual API) generates and returns the quotation PDF document for any bidderId. The PDF contains the full price proposal, contract terms, and company details. No ownership validation — any merchant can download any other merchant's quotation document.

ผลกระทบ

Direct download of competitor quotation PDF containing full price proposal and contract terms. Most direct path to competitor price information.

แนวทางแก้ไข

Validate bidderId ownership before generating quotation PDF. Only the bid owner should access their own quotation document.

รายละเอียด

The dexbide016/openEnvelope endpoint, which is an officer-only function for opening price envelopes, is accessible by merchant accounts. Server responds with "บันทึกข้อมูลเรียบร้อยแล้ว" (saved successfully). This is a critical role escalation where a bidder can trigger the envelope opening process, potentially accessing all bid prices before the official committee review.

ผลกระทบ

Merchant can trigger officer-only envelope opening. Potential premature price disclosure. Critical integrity violation of the sealed-bid process.

แนวทางแก้ไข

Enforce role-based access control. Only officer/committee accounts should access envelope opening endpoints. Validate employeeType from JWT, not DP.

รายละเอียด

The dexmkti005/v1/info endpoint (officer price history/market price information) is accessible by merchant accounts. Merchant 789RICHY successfully accessed this officer-only endpoint and retrieved price data for projects they were not involved in (cross-project). After envelope opening, returns ALL bidder names and prices.

ผลกระทบ

Merchant accesses officer-only price history. Cross-project data visible. All bidder names and prices disclosed after envelope opening.

แนวทางแก้ไข

Enforce role check (employeeType=A required). Restrict to officer accounts with proper committee assignment to the specific project.

รายละเอียด

The dexmkte004/listDexConsiderMerchantPrice endpoint returns all bid prices for a project with minimal or no authentication required. This officer-only endpoint for viewing considered merchant prices is accessible by any account type. Returns data after envelope opening including all merchant names, TINs, and submitted prices.

ผลกระทบ

Complete bid price disclosure without proper authentication. All merchant names, TINs, and prices for any project. Most critical access control failure.

แนวทางแก้ไข

Require officer JWT with proper role claims. Implement project-level access control (only assigned committee members).

รายละเอียด

The merbide005/v1/infoCallBack endpoint queries the blockchain oracle for transaction status using a txId. Any authenticated user can check the status of any transaction, including competitors'. Combined with IDOR3 (txId leak via infoQuotation), an attacker can verify blockchain confirmation status of competitor bids in real-time.

ผลกระทบ

Real-time monitoring of competitor blockchain transaction status. Verification of bid submission confirmation on the blockchain.

แนวทางแก้ไข

Restrict infoCallBack to only return status for the requesting user's own transactions.

รายละเอียด

Blockchain transaction IDs (txId) in the e-GP system are derived from nanosecond timestamps rather than cryptographic hashes. This makes txIds predictable if the approximate bid submission time is known. Example: txId 1771225851768105866 corresponds to a specific nanosecond timestamp. Combined with quotation timing leaks (IDOR3), txIds can be predicted or verified without direct access.

ผลกระทบ

Transaction IDs are predictable, enabling brute-force enumeration of blockchain transactions within a time window.

แนวทางแก้ไข

Generate txIds using cryptographically secure random values or hashes rather than timestamps.

รายละเอียด

The OTP verification endpoint (merbide005/v1/verifyOTP) has no rate limiting or account lockout. Testing showed 15+ consecutive attempts with ~470ms response time and no blocking. The genOTP endpoint also has a cross-company vulnerability: it sends OTP SMS to the victim's phone number. Combined with the OTP reference leak (V15 — infoBidderTemplateData returns OTP ref like 'aZbq'), an attacker could potentially brute-force the OTP during active bidding to hijack bid confirmation.

ผลกระทบ

Unlimited OTP brute-force attempts. Cross-company OTP generation sends SMS to victim. Combined with OTP ref leak, enables bid confirmation hijack.

แนวทางแก้ไข

Implement rate limiting (max 3-5 attempts per transId). Add progressive lockout. Restrict genOTP to only the bid owner's phone number.

รายละเอียด

The infoCallBack endpoint can potentially trigger updateSubmitStatus for competitor bids via blockchain callback mechanism. During active bidding on project 69019546333, the confirm endpoint returned RC=0 (no E3517 error) but was blocked by E0032 (transId format validation — requires 20 digits). The actual transId is only visible in browser flow (empty response via API). Partial confirmation — the access control layer is missing but format validation provides a secondary barrier.

ผลกระทบ

Potential cross-company write to bid submission status. Access control missing but secondary format validation blocks full exploitation.

แนวทางแก้ไข

Add ownership validation to infoCallBack. Validate that the callback transaction belongs to the requesting merchant.

รายละเอียด

The first layer of e-GP's 2-layer encryption uses AES-256 in ECB mode (Electronic Codebook) with PKCS7 padding and no initialization vector. ECB mode is deterministic — the same plaintext always produces the same ciphertext, enabling pattern analysis. Identical bid amounts from different companies would produce recognizable patterns. The CryptoJS library on the client side and Java AES on the server both use this insecure mode.

ผลกระทบ

Deterministic encryption enables pattern analysis. Same bid amounts produce same ciphertext. ECB mode leaks data patterns through block-level analysis.

แนวทางแก้ไข

Switch from ECB to CBC or GCM mode with random IV per encryption operation. Use authenticated encryption (AES-GCM) for integrity protection.

รายละเอียด

The AES-256 encryption key for DataProfile and bidderId encryption is derived directly from the JWT subject (sub) field by removing dashes and encoding as UTF-8: key = JWT.sub.replace('-','').encode('utf-8'). No hash function (SHA-256, PBKDF2), no salt, no iterations. The UUID becomes a 32-byte key directly. Since JWT sub is visible in every token (even after expiry), any intercepted JWT reveals the AES key. Example: sub='6c66411d-3445-442e-9802-b44fcdae9a67' -> key='6c66411d3445442e9802b44fcdae9a67'.

ผลกระทบ

Any intercepted JWT reveals the AES encryption key. Enables DataProfile forgery and bidderId re-encryption for IDOR attacks. Foundation of the entire attack chain.

แนวทางแก้ไข

Derive keys using PBKDF2 or HKDF with a server-side salt. Never use raw UUIDs as cryptographic keys. Use separate keys for DataProfile and bidderId.

รายละเอียด

The Actuator Prometheus endpoint is exposed via the same WAF bypass (%61ctuator). Returns detailed metrics including 93 URIs with call counts, response times, HTTP status code distributions, JVM memory usage, thread counts, and database connection pool statistics. Enables mapping of all API endpoints and their usage patterns.

ผลกระทบ

API endpoint enumeration with usage statistics. Performance profiling data. JVM and database connection pool information.

แนวทางแก้ไข

Disable Prometheus endpoint in production or restrict to internal monitoring network only.

รายละเอียด

Swagger UI is accessible on backend services by URL-encoding one character in the path (sw%61gger-ui.html) to bypass the F5 ASM WAF. Provides complete API documentation including all endpoints, request/response schemas, parameter types, and authentication requirements. Significantly accelerates attack reconnaissance.

ผลกระทบ

Complete API documentation exposure. All endpoint paths, schemas, and authentication requirements visible to attackers.

แนวทางแก้ไข

Remove Swagger UI from production deployments. Fix WAF rules to URL-decode before pattern matching.

รายละเอียด

Error responses from multiple endpoints include full Java stack traces with internal class names, package structure, Hibernate/JPA versions, and framework details. For example, merbide004 errors reveal IllegalBlockSizeException paths showing the AES decryption flow. This information assists in identifying the technology stack and potential attack vectors.

ผลกระทบ

Internal technology stack disclosure: class names, framework versions, package structure. Assists in crafting targeted exploits.

แนวทางแก้ไข

Return generic error messages in production. Log detailed stack traces server-side only. Implement custom error handlers.

รายละเอียด

HashiCorp Vault (version 1.11.3) exposes 10 unauthenticated system endpoints including /v1/sys/health, /v1/sys/seal-status, /v1/sys/leader, /v1/sys/ha-status, and others. These reveal: Vault version (1.11.3), cluster name, seal type (Shamir 3/5 threshold), HA status, storage backend (Raft), and node information. Critical for Vault-specific attacks.

ผลกระทบ

Vault version, cluster topology, seal configuration, HA status, and storage backend exposed. Enables targeted Vault attacks.

แนวทางแก้ไข

Restrict Vault sys endpoints to internal network. Enable Vault audit logging. Consider using auto-unseal instead of Shamir.

รายละเอียด

The egp-authen-service/delUserSession endpoint accepts a userId parameter and immediately terminates the target user's active session. No ownership validation — any authenticated user can kill any other user's session. During active bidding windows, this enables denial of service against competitors by repeatedly killing their sessions while they attempt to submit bids.

ผลกระทบ

Denial of service against any user. During active bidding, prevents competitors from submitting bids by killing their sessions.

แนวทางแก้ไข

Restrict delUserSession to only the authenticated user's own session. Add rate limiting and audit logging.

รายละเอียด

The Vault generate-root endpoint (/v1/sys/generate-root/attempt) is accessible without authentication. An attacker can initiate the root token generation process. While completing the process requires unseal keys (Shamir 3/5 threshold), the ability to initiate it without auth is a significant misconfiguration. If combined with unseal key compromise, this grants full Vault root access.

ผลกระทบ

Initiate root token generation without authentication. Combined with unseal key compromise enables full Vault takeover.

แนวทางแก้ไข

Restrict generate-root endpoint to internal network with IP allowlisting. Enable Vault audit logging for all sys operations.

รายละเอียด

The Vault rekey endpoint (/v1/sys/rekey/init) is accessible without authentication. An attacker can initiate the rekey process which changes the Shamir secret sharing parameters. While completing rekey requires existing unseal keys, initiating the process without auth could cause disruption and is a significant misconfiguration.

ผลกระทบ

Initiate seal rekey without authentication. Potential disruption to Vault operations. Combined with social engineering could lead to unseal key compromise.

แนวทางแก้ไข

Restrict rekey endpoint to internal network. Implement network-level access control for all Vault sys endpoints.

รายละเอียด

The e-GP system uses HashiCorp Vault version 1.11.3 which reached end-of-life and no longer receives security patches. Over 30 CVEs have been published since this version, including CVE-2023-4680 (nonce bypass, exploited in KMS2), CVE-2023-3462 (LDAP injection), and multiple denial of service vulnerabilities. The version was confirmed via unauthenticated /v1/sys/health endpoint.

ผลกระทบ

30+ known CVEs unpatched including actively exploited CVE-2023-4680. End-of-life software with no future security updates. Critical encryption infrastructure running on compromised software.

แนวทางแก้ไข

Upgrade Vault to the latest LTS version (1.15+). Implement regular patch management cycle. Consider Vault Enterprise for extended support.

รายละเอียด

The doc-examine service (dexmkti005) allows any authenticated user to view price information for projects they are not involved in. Merchant 789RICHY accessed price data for projects where they did not submit a bid. After envelope opening, this returns all bidder names and prices. No AES binding on doc-examine — only JWT + DP header required.

ผลกระทบ

Cross-project price data accessible by any merchant. After envelope opening, all bidder names and prices for any project are exposed.

แนวทางแก้ไข

Implement project-level access control. Only users with a valid bid on the project should access its examination data.

รายละเอียด

The upload service copy endpoint allows duplicating any existing file to a new fileId. Combined with apiKey-only authentication (UPL1), any file in the system can be duplicated. This could be used to exfiltrate files under new IDs or to plant duplicate documents. The copy operation only requires the hardcoded apiKey.

ผลกระทบ

Duplicate any file in the system. Enables file exfiltration under new IDs and potential document planting.

แนวทางแก้ไข

Require JWT authentication for copy operations. Validate file ownership before allowing copies.

รายละเอียด

The dexbide010/infoDexbide010 endpoint returns examination status, examiner name, merchant count, lock flags, and UI control button actions (stepMessage, closeBtnConfirm, closeBtnBargain) for any project. Tested on project 69019546333 during active bidding: examineName, examineFlag, countMerchant=1, examineLockFlag='Y'. The control button information suggests potential write operations.

ผลกระทบ

Examination status, examiner details, and control actions exposed. countMerchant reveals number of bidders. Lock flags indicate process stage.

แนวทางแก้ไข

Restrict dexbide010 to assigned committee members only. Remove UI control button data from API responses.

รายละเอียด

The dpebide001/infoDpebide001 endpoint returns the full price estimate data including estAmount (reference price), projectMoney (budget), department name, UNSPSC product codes, and PDF attachment fileIds (fileSimulate). Tested on project 69019546333: estAmount=1,304,354.20, projectMoney=1,300,000.00, deptName='เทศบาลเมืองบางเลน', 2 PDF attachments (บก.01 and สรุปราคากลาง). No ownership check.

ผลกระทบ

Full reference price (ราคากลาง) and budget disclosure. PDF attachments downloadable via UPL1. Enables precise bid calibration by competitors.

แนวทางแก้ไข

Restrict price estimate access to after official publication date. Validate that the requesting user has a legitimate reason to access the price estimate.