CAQE Insecure default app.run(debug=True, ...)

Insecure default app.run(debug=True, ...)

Open moohax opened this issue 1 year ago • 0 comments

This repo doesn't seem to get updates, but for awareness, run.py sets debug=True by default. This means /console is available wherever the application is deployed. To exploit this, run commands via the Python interpreter: print(__import__('os').popen('ls -al').read())

Suggestion to fix,

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from caqe import app

app.run(debug=False, threaded=True)

Mar 24 '23 23:03 moohax

CAQE CAQE copied to clipboard

Insecure default app.run(debug=True, ...)

CAQE
CAQE copied to clipboard