ReQuest Serious Play F3 Media Server Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in ReQuest Serious Play F3 Media Server version 7.0.3. This vulnerability is unauthenticated and allows attackers to execute arbitrary commands as the web server user. The issue arises from the Quick File Uploader feature, which can be exploited to upload PHP executable files that are then executed on the server.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server, with the executed commands running as the web server user.

Reproduction

To reproduce this vulnerability, access the hidden 'ReQuest Internal Utilities' page and navigate to the 'Quick File Uploader' section. Upload a PHP file disguised as a regular document. Once uploaded, the PHP file can be executed through the web server, resulting in a command execution on the server.