PHPGurukul News Portal Insertion of Sensitive Information Into Debugging Code Vulnerability

A vulnerability exists in PHPGurukul News Portal version 1.0, specifically within the Django application. The issue arises from the DEBUG mode being enabled in the production settings file, which should only be active during development. This misconfiguration allows the application to generate detailed error pages that expose sensitive information, including full Python stack traces, file paths, environment variables, and database details. The vulnerability can be exploited remotely by triggering an error, such as through malformed input, making it low-effort but high-impact.

Impact

Enabling DEBUG mode in a production environment exposes extensive sensitive information through detailed error pages. This includes application architecture, configuration details, database information, system information, and request/response data. Such exposure can lead to various attacks, such as SQL injection exploitation, path traversal, version-specific exploit development, and authentication bypass.

Reproduction

The vulnerability can be reproduced by accessing a non-existent URL, which will trigger a 404 error page that includes debug information. Alternatively, a 500 Internal Server Error can be induced by sending invalid data to an API endpoint, which will also return a debug page with sensitive information. This vulnerability can also be exploited by causing a database error, which will reveal the exact SQL query that was executed, along with other database-related information.

Remediation

To address this vulnerability, immediately disable DEBUG mode in the production settings file and configure the ALLOWED_HOSTS setting. Additionally, set up custom error pages and ensure proper logging of error details.