hackerone.com Open in urlscan Pro
2606:4700:4400::6812:24d6  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content  >

Hacktivity

Opportunities

Directory

Leaderboard

Learn more about HackerOne
Log in


22
#1033423
Django Debug=True Leaks admin email addresss and serval system information
 * Share:
 * 
 * 
 * 
 * 
 * 
 * 

Timeline
iamsanskar
submitted a report to Mail.ru.
November 13, 2020, 6:15am UTC
MenuMenu


DOMAIN, SITE, APPLICATION

weblate.ucs.ru


STEPS TO REPRODUCE


FOR GETTING ALL URL PATTERNS

1.Open https://weblate.ucs.ru / 2.now after / enter any random string 3.It will
open 404 page which contains all the Url Patterns of Website ##For getting all
debug info 1.Open https://weblate.ucs.ru 2. Now go to
https://weblate.ucs.ru/widgets/platformx/-/svg-badge.svg 3.Boom you got all
details
Recommend Fix Change Debug to False from True Reference
https://www.troyhunt.com/graphic-demonstration-of-information/


IMPACT

An attacker can obtain information such as:
Exact Django & Python version. Used database type, database user name, current
database name. Details of the Django project configuration. Internal file paths.
Email of admin is also disclosed Exception-generated source code, local
variables and their values. All Urls of web App is also disclosed
This information might help an attacker gain more information and potentially to
focus on the development of further attacks to the target system.
 * 2 attachments:
 * F1076461: Screenshot_2020-11-13_11-44-49.png
 * F1076462: Screenshot_2020-11-13_11-42-18.png

3apa3a
 updated the severity from medium to none. 
November 13, 2020, 7:47am UTC
MenuMenu
3apa3a
 changed the status to Triaged. 
November 13, 2020, 7:48am UTC
MenuMenu
Thank you for your report to Mail.Ru Group! We appreciate your time for helping
us to make our web services safer.
Your report have passed an initial review and was assigned to security engineer.
Security engineer will contact you only if there are any questions on
reproducing the bug or some additional information from you is required. He will
manage the patching process. Once the bug is completely fixed, this report is
transferred to "Resolved" state, it can take some time.
Unfortunately, your report is not eligible for monetary reward (check the
rules). We say "thank you" for your help and contribution.
Mail.ru
 has decided that this report is not eligible for a bounty. 
November 18, 2020, 3:15pm UTC
MenuMenu
m_ar
 closed the report and changed the status to Resolved. 
December 3, 2020, 5:26pm UTC
MenuMenu
This bug has been fixed! Please confirm that you are no longer able to reproduce
the issue.
iamsanskar
 posted a comment. 
December 8, 2020, 8:59am UTC
MenuMenu
I'm no longer able to reproduce it.
iamsanskar
 requested to disclose this report. 
December 8, 2020, 9am UTC
MenuMenu

 This report has been disclosed. 
January 7, 2021, 9am UTC
MenuMenu


Reported November 13, 2020, 6:15am UTC


iamsanskar

Participants


Reported to
Mail.ru

Report Id
#1033423
Resolved


--------------------------------------------------------------------------------

Disclosed
January 7, 2021, 9am UTC

Severity
None (0.0)

Weakness
Information Exposure Through Debug Information


--------------------------------------------------------------------------------

Bounty
None


--------------------------------------------------------------------------------

CVE ID
None

Account de...
None


--------------------------------------------------------------------------------


It looks like your JavaScript is disabled. To use HackerOne, enable JavaScript
in your browser and refresh this page.