Bandit

Detect when Debug=True for Werkzeug servers

Registered by Kevin London

Patreon was just hacked and it sounds like, from this blog post, the activity can be traced to leaving debug=True on their Werkzeug-based server. When it is enabled, it potentially allows for RCE through the browser.

http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug
http://colin.keigher.ca/2014/12/remote-code-execution-on-misconfigured.html

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Kevin London
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Travis McPeak
Completed by
Travis McPeak

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/detect-werkzeug-debug-enabled,n,z

Addressed by: https://review.openstack.org/233713
    Add check for Flask app debug=True usage

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.