inMusic Brands Engine DJ Insecure Permissions Vulnerability Allowing Arbitrary File Access

A vulnerability in inMusic Brands Engine DJ version 4.3.0 has been identified, allowing insecure permissions due to an exposed HTTP service in the Remote Library. This vulnerability enables attackers to access all files and network paths available to the user under which Engine DJ is running. The issue arises because the application does not authenticate clients or restrict requested filesystem paths, leaving sensitive local or network-accessible files vulnerable to exfiltration.

Impact

Exploitation of this vulnerability allows for unauthorized access to arbitrary files on the local filesystem or network paths, depending on the permissions of the user running the Engine DJ application. During testing, accessed files included private SSH keys and environment files.

Reproduction

The vulnerability can be reproduced by sending HTTP GET requests to the Engine DJ application's embedded server on port 50020, which is open on all IPv4 interfaces except localhost. Requests can be made for any file accessible to the user under which Engine DJ is running, including files on network shares, as long as the path is known.

Remediation

Users are advised to upgrade to Engine DJ version 4.3.4 or later, which includes a mitigation for this vulnerability by whitelisting requestable paths and denying access to files outside the media library.