check debugger timeout consistently#3020
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
|
The development server states everywhere in the docs and terminal that is is only for development and must never be used in production. If a project is exposing the debugger in a non-development situation, then the security report would be to that project. These changes are fine, but are not considered a security fix. The pin is a very mild stopgap in case a project accidentally does expose the debugger, but is not expected to be particularly secure. All those pieces of information used to generate the cookie are used on purpose so that the pin isn't constantly changing. |
7703c2b to
3589131
Compare
3589131 to
c7d2b8b
Compare
Thank you for the review and accepting, and for maintaining a great project. I understand your point about the docs stating not to use this in production, but we all know that there is a non-zero percent chance that it will be used in production. In fact it was in my role as a penetration tester that I found the debugger enabled behind a PIN/cookie in production and was able to gain access to the required information to generate the PIN and cookie using a separate arbitrary file read in the affected application then use the debugger to gain code execution on the system. I would argue that the PIN/cookie is a security control, and that this was therefore a security issue. In any case, I’m glad I could help improve the security of the project and that you helped facilitate that so thank you again. |
This pull request introduces 2 changes:
These changes enhance the security of the debugger because it is possible to generate a cookie if knowledge of the environment is known (i.e. APPNAME, CGROUP, FLASKPATH, MACADDRESS, MACHINEID, MODULENAME & SERVICEUSER). It may be possible to access enough information about the environment if the application using werkzeug contains a vulnerability such as arbitrary file read, e.g. using path traversal. This could result in the debugger being used to turn a medium-risk vulnerability into a critical-risk one (i.e. remote code execution).
An exploit module for Metasploit is publicly available that will generate a cookie when provided with the required information (disclaimer: I am the author of the module, but I also want to improve the security of werkzeug, even though it will make the exploit less effective).