CVE-2024-10816: LUNA Radio Player Plugin for WordPress Vulnerable to Directory Traversal in Versions Up to 6.24.01.24

The LUNA Radio Player plugin for WordPress has been found to be vulnerable to Directory Traversal attacks in all versions up to, and including, 6.24.01.24. This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information.

In this post, we'll provide a detailed analysis of the vulnerability, discuss its impact on WordPress websites using the LUNA Radio Player plugin, and provide guidance on how to mitigate this issue in your own WordPress installation.

Vulnerability Details

The vulnerability resides in the "js/fallback.php" file, which can be exploited by an unauthenticated attacker to traverse the directory and obtain arbitrary file contents on the server.

The following code snippet from the "js/fallback.php" file demonstrates the vulnerability

<?php
    $file = $_GET['file'];
    if (file_exists($file)) {
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename=' . basename($file));
        header('Content-Length: ' . filesize($file));
        readfile($file);
    }
?>

In this code, the $file variable is read directly from the $_GET['file'] parameter, without any validation or sanitization applied. Consequently, an attacker can provide a value containing directory traversal sequences (e.g. "../") to access and read arbitrary files on the server.

Exploit

To exploit this vulnerability, an attacker can craft a malicious URL pointing to the "js/fallback.php" file within the LUNA Radio Player plugin directory. For example:

http://target-site.com/wp-content/plugins/luna-radio-player/js/fallback.php?file=../../../../wp-config.php

By accessing this URL, the attacker can read the contents of the WordPress configuration file "wp-config.php," potentially obtaining sensitive information such as database credentials.

Original References

The vulnerability was first reported by [security researcher's name] and has been assigned the CVE identifier CVE-2024-10816. You can find the original references and disclosures here:

- CVE-2024-10816
- Security researcher's original disclosure

To mitigate or remediate this vulnerability, it is recommended to follow these steps

1. Update the LUNA Radio Player plugin to the latest version, which should include a fix for this vulnerability.
2. If updating the plugin is not possible, you can apply a temporary fix by adding validation and sanitization to the $file variable in the "js/fallback.php" file. For example:

<?php
    $file = $_GET['file'];
    $allowed_files = ['file1.js', 'file2.js']; // Add your allowed file names here
    if (in_array(basename($file), $allowed_files) && file_exists($file)) {
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename=' . basename($file));
        header('Content-Length: ' . filesize($file));
        readfile($file);
    }
?>

This will ensure that only allowed file names will be processed, effectively preventing the directory traversal.

Conclusion

The CVE-2024-10816 vulnerability in the LUNA Radio Player plugin for WordPress is a serious issue that can expose sensitive information on affected websites. It's crucial for website administrators to promptly address this issue by updating the plugin or applying the recommended mitigation measures.

Timeline

Published on: 11/13/2024 04:15:04 UTC
Last modified on: 11/13/2024 17:01:16 UTC