There's a easy exploiting vulnerability in:
https://github.com/humitos/pyfispot/blob/master/raspberrypi/home/pi/apps/pyfispot/main.py#L69

A fake X-Real-IP header will execute arbitrary command on the server