Insecure Functionality Exposed in Python
Play Python Labs on this vulnerability with SecureFlag!
Flask
Flask (via Werkzeug) provides debugging functionalities via the browser when an exception is raised. Even though a PIN can be provided so that only developers are able to access this feature, it should never be enabled in a production environment. When debug mode is enabled, the full stack traces are displayed. An interactive Python shell is also provided, by default this is protected by a PIN. If the PIN is disabled or easily guessable, the shell can be used to compromise the system.
Vulnerable Example
The debugger mode can be enabled with the FLASK_DEBUG=1 environment variable, while the PIN can be disabled with WERKZEUG_DEBUG_PIN=off or set to a predictable value.
Prevention
Never ship debugging features in production environments.