Remote Code Execution on a Facebook server
I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (18.104.22.168/24), I found a Sentry service hosted on 22.214.171.124, with the hostname sentryagreements.thefacebook.com.
Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.
Django debug mode was not turned off, which consequently prints the whole environment when a stacktrace occurs. However, Django snips critical information (passwords, secrets, key…) in those stacktraces, therefore avoiding a massive information leakage.