arxius: Local File Disclosure via ffmpeg

ID H1:242831
Type hackerone
Reporter cdl
Modified 2017-06-25T13:52:32



ffmpeg is a video and audio software that is used for generating previews and for converting videos. Your current installation allows HLS playlists that contain references to external files, which leads to local file disclosure.


1.) Download this script by @neex 2.) run the script python3 file:///etc/passwd sxcurity.avi 3.) Now visit and upload sxcurity.avi 4.) You will now be redirected to your upload and let the video finish processing 5.) Once the video is done processing, click play and you will see the contents of /etc/passwd ;)


Contents of /etc/passwd : Contents of /etc/issue:

Thanks! -Corben Douglas (@sxcurity)

ps: I've attached my proof of concept avi file, just in case you are having trouble with that script!