← Advisories

ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure

High
Advisory ID
ZSL-2020-5600
Release Date
18 October 2020
Vendor
ReQuest Serious Play LLC - http://www.request.com
Affected Version
7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, 2.0.1.823
CVE
CVE-2020-36876
Tested On
ReQuest Serious Play® OS v7.0.1, ReQuest Serious Play® OS v6.0.0, Debian GNU/Linux 5.0, Linux 3.2.0-4-686-pae, Linux 2.6.36-request+lenny.5, Apache/2.2.22, Apache/2.2.9, PHP/5.4.45, PHP/5.2.6-1
Summary

F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.

Description

The unprotected web management server is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit the message_log page and disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device.

Proof of Concept
request_log.txtTXT
Disclosure Timeline
01.08.2020Vulnerability discovered.
16.08.2020Vendor contacted.
17.10.2020No response from the vendor.
18.10.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/159598/
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/190032
[3]https://www.exploit-db.com/exploits/48950
[4]https://www.vulncheck.com/advisories/request-serious-play-f-media-server-debug-log-disclosure
[5]https://www.cve.org/CVERecord?id=CVE-2020-36876
Changelog
18.10.2020Initial release
20.10.2020Added reference [1]
26.10.2020Added reference [2] and [3]
08.12.2025Added reference [4] and [5]