search

SigmaGmbH / Bug-Bounty-1.0

This repo consolidates reported issues from swisstronik-evm-module, swisstronik-librustgo, and swisstronik-chain repositories, complemented by all the Bug Bounty 1.0 program details and rewards for developers.
2 stars 0 forks source link

Django Debug Enabled Revealing System, Database, and Configuration File Information #14

Closed termireum closed 12 months ago

termireum commented 1 year ago

1. Bug/Vulnerability Description

Django Debug Enabled Revealing System, Database, and Configuration File Information

2. Hardware and Software Specifications

N/A

3. Steps to Reproduce

Visit https://issuer.sdi.swisstronik.com/ using the IP address 143.244.58.65. The leaked information includes: Django Version Python Version IP addresses Database details (username, URL, type, port)

4. Impact Analysis

The disclosed information poses a potential risk as it allows an attacker to obtain details such as Django and Python versions, database type, database username, current database name, Django project configuration details, internal file paths, exception-generated source code, and local variables with their values. This information could empower an attacker to gain more insights and potentially develop further targeted attacks on the target system.

5. Code Fix Submission

Set DEBUG=False in your Django settings.py file

6. Choose the Right Label

Information Disclosure

7. Additional Context

swisstronik

SantiagoDevRel commented 12 months ago

Hi @termireum , thank you so much for submitting this issue, we genuinely appreciate your commitment to our community and your dedication to improving the overall Swisstronik experience. Please note that, unfortunately, this issue falls outside the scope of our bug bounty program, as outlined here Thank you💪