xxyopen Novel-Plus Missing Authorization Vulnerability in File Deletion Function

A vulnerability exists in xxyopen's novel-plus application, specifically in versions up to 5.1.3. The issue arises in the file deletion function of the FileController, where a missing authorization check allows any authenticated user to delete files belonging to others by simply knowing their IDs. This flaw, categorized as an Insecure Direct Object Reference (IDOR) attack, is exacerbated by the fact that the intended permission verification is commented out in the code. The vulnerability can be exploited remotely, although it requires a certain level of complexity.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion, potentially leading to loss of important data or disruption of service.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'remove' endpoint of the FileController. The request must include the ID of the file to be deleted. Since the function does not verify ownership, any file can be deleted as long as its ID is known or can be guessed.