I was pretty divided into publishing this, mostly because I know the people over at Patreon are really doing a great job around security in general and I didn't want to bring more gasoline to the fire. (Is that a working proverb?)
However, due to the fact that there has been posts around publicly available Werkzeug Debuggers before and also the fact that there are so many still out there, I still decided do to it.
Also worth noting that Shodan.io even crawled this host when the instance actually launched the Debugger directly upon visiting it. This made it extremely easy for an attacker to actually exploit this vulnerable endpoint only by visiting the domain.
Visit domain -> Werkzeug Debugger -> "[console ready]" -> RCE.
As an employee of Patreon, we totally respect this decision. If other companies can learn from our mistakes (and, hopefully, our successes in encryption, disclosure, etc.), than that seems like the best thing that can come out of this.
While we were very aware of the dangers of the debugger, we ran with it anyway on our development servers because we were confident our development instances were behind our VPN, and the debugger is quite useful for... you know, debugging :D This server slipped through the cracks, and we were not fast enough to pull it back in.
What's definitely most upsetting is articles like this http://arstechnica.com/security/2015/10/patreon-was-warned-o... that were posted in response to your write-up which state that it was our production server which was compromised, and other inaccurate data.
Thanks for the reply.
I actually contacted Dan to clarify that specific statement. My guess is that he misunderstood "publicly available host" with production.
> Unfortunately there are thousands of publicly available instances of Werkzeug out there and each and every one of them should take proper mitigation actions as if they have already been exploited.
This should probably say "publicly available instances of the Werkzeug debugger". Werkzeug without the debugger is perfectly safe AFAIK.
However, due to the fact that there has been posts around publicly available Werkzeug Debuggers before and also the fact that there are so many still out there, I still decided do to it.
Also worth noting that Shodan.io even crawled this host when the instance actually launched the Debugger directly upon visiting it. This made it extremely easy for an attacker to actually exploit this vulnerable endpoint only by visiting the domain. Visit domain -> Werkzeug Debugger -> "[console ready]" -> RCE.