Algernon Web Server Debug Mode Vulnerability in Single-File Mode Prior to 1.17.7

A vulnerability in Algernon web server versions through 1.17.6 allows for unintentional debug mode activation when the server is started with a single file path instead of a directory. This debug mode, enabled by default for certain file types, activates the PrettyError renderer, which exposes sensitive information by dumping the full server-side source of the file that triggered an error, along with any related Lua data files. The information is served with an HTTP 200 OK status to the requester, without any authentication or rate limiting. This vulnerability is particularly concerning when Algernon is run as a system service, where the single-file mode can override production settings meant to enhance security.

Impact

Exploitation of this vulnerability leads to a high confidentiality risk, as it allows unauthorized access to the full source code of server-side scripts, including sensitive information such as API keys and authentication tokens. In production environments, this could expose critical application logic and data handling procedures.

Reproduction

To reproduce this vulnerability, upload a Lua data file containing sensitive information, such as an AWS secret, alongside a Pongo2 template file that references the data file. Then, invoke the Algernon server with the template file in single-file mode, which will trigger the debug mode and cause the sensitive data to be leaked in the response.

Remediation

Users can update to Algernon version 1.17.7 or later, where this vulnerability has been fixed. Additionally, when using Algernon as a system service, avoid referencing single Lua or Pongo files in the ExecStart command.