mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-05 04:07:03 -07:00
27a8a27880
a flask app left on debug=True wraps the wsgi app in werkzeug's DebuggedApplication, which serves its debugger assets unauthenticated: GET /?__debugger__=yes&cmd=resource&f=debugger.js returns the debugger javascript with no pin and no live exception required. that exposes the interactive console (an rce vector) and tracebacks that leak source and config. probe that asset path and match two javascript anchors stable across werkzeug 0.14 through 3.0 so a page that only references the debugger does not match, then read the werkzeug version from the server header.