Title: ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure
Advisory ID: ZSL-2020-5600
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 18.10.2020

Summary

F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.

Description

The unprotected web management server is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit the message_log page and disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device.

Vendor

ReQuest Serious Play LLC - http://www.request.com

Affected Version

7.0.3.4968 (Pro)
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823

Tested On

ReQuest Serious Play® OS v7.0.1
ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1

Vendor Status

[01.08.2020] Vulnerability discovered.
[16.08.2020] Vendor contacted.
[17.10.2020] No response from the vendor.
[18.10.2020] Public security advisory released.

PoC

request_log.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/159598/
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/190032
[3] https://www.exploit-db.com/exploits/48950

Changelog

[18.10.2020] - Initial release
[20.10.2020] - Added reference [1]
[26.10.2020] - Added reference [2] and [3]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk