OpenSite/settings.py ships with:
DEBUG = True
ALLOWED_HOSTS = ['*']
and the app has an easy unauthenticated exception trigger at /scripts/:
@csrf_exempt
def scripts(request):
login(request)
if request.POST['action'] == 'UPLOAD_NETWORK':
...A plain GET /scripts/ or empty request raises:
django.utils.datastructures.MultiValueDictKeyError: 'action'
When this is deployed with DEBUG = True, an internet visitor can trigger Django’s debug error page and obtain internal traceback information instead of a generic 500 response.
At minimum, DEBUG should be disabled outside development, and /scripts/ should validate method and required parameters before indexing request.POST.
Django redacts known secret environment variables, but this isn't foolproof. From a quick check of public OpenBench instances, almost all of them (>90%) had DEBUG = True, and at least one of them had a private secret (a Discord webhook URL) visible in the response.
OpenSite/settings.pyships with:and the app has an easy unauthenticated exception trigger at
/scripts/:A plain
GET /scripts/or empty request raises:When this is deployed with
DEBUG = True, an internet visitor can trigger Django’s debug error page and obtain internal traceback information instead of a generic 500 response.At minimum,
DEBUGshould be disabled outside development, and/scripts/should validate method and required parameters before indexingrequest.POST.Django redacts known secret environment variables, but this isn't foolproof. From a quick check of public OpenBench instances, almost all of them (>90%) had
DEBUG = True, and at least one of them had a private secret (a Discord webhook URL) visible in the response.