Bug 1366844
| Summary: | Flask or other framework and web app who use the Debugger of werkzeug may be a security issue. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nearg1e <yourneargo> | ||||
| Component: | python-werkzeug | Assignee: | Rick Elrod <relrod> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | ian, karlthered, phalliday, relrod | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-08-16 23:12:55 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
You can report it upstream (https://github.com/pallets/werkzeug), but in practice I think it's not really an issue. The debugger should never be enabled in production, as per the docs (http://werkzeug.pocoo.org/docs/0.11/debug/#debugger-pin) "Never enable the debugger in production." *** Bug 1366833 has been marked as a duplicate of this bug. *** |
Created attachment 1190639 [details] the markdown file Description of problem: If a website developed by python-flask or other werkzeug-base framework run in debug mode which use the Debugger of werkzeug,it may be XSS by triggering an error。 Version-Release number of selected component (if applicable): <= 0.11.10 How reproducible: Steps to Reproduce: 1. For example, a common Flask code: from flask import Flask, request app = Flask(__name__) @app.route("/xss-debug-test/", methods=['POST']) def xss_debug_test(): id = int(request.form['id']) # or id = int(request.args.get('id')) return "XSS" if __name__ == "__main__": app.run(debug=True) 2. If the hacker posted “id=1</textarea><script>alert(/XSS/)</script>” to the url "/xss-debug-test/", the JavaScript in payload will be run in client. Additional info: The problem code is in the werkzeug/debug/tbtools.py, line 349: def render_full(self, evalex=False, secret=None, evalex_trusted=True): """Render the Full HTML page with the traceback info.""" exc = escape(self.exception) # the exception info use the escape method return PAGE_HTML % { 'evalex': evalex and 'true' or 'false', 'evalex_trusted': evalex_trusted and 'true' or 'false', 'console': 'false', 'title': exc, 'exception': exc, 'exception_type': escape(self.exception_type), 'summary': self.render_summary(include_title=False), 'plaintext': self.plaintext, # the plaintext did not use the escape method 'plaintext_cs': re.sub('-{2,}', '-', self.plaintext), 'traceback_id': self.id, 'secret': secret } See the code, the 'exc' variable use the escape method, but the 'plaintext' variable did not use. And it contained the exception info too in generate_plaintext_traceback function.