George, I think you donât get the point here. Everyone understands that Flask development server is very vulnerable, the thing is, it doesnât matter. The first thing you read when you start developing with Flask (also Django, Rails, etc, etc) is that the server they provide IS JUST FOR DEVELOPMENT. They said it out loud. Youâre suppose to deploy your app with well know production ready servers like Apache, Nginx, etc.
Filing a CVE against Flask âjust to tell peopleâ is pointless, because the Flask Docs itself are telling people not to use the server for production environment. And believe me, people that are indeed using it for production environment are way more likely to read the Flask documentation than a CVE report⊠Also, you donât need clever tricks like SYN flood or anything like it to DoS Flask server, since it is by default a single threaded server, you will only need 3 or 4 clients requesting concurrently to bring it down, not anything fancy.
On the other side, I think you made your point. Iâve seen that Flask developers are currently putting some effort on the documentation to make it âCLEARER THAN WATERâ that Flask server is not intended for production.
Kind regards,
Paulo Bu
Software developer at TMG
On 07 Sep 2014, at 20:44, Gregory Disney <gregory.disney-***@public.gmane.org<mailto:gregory.disney-***@public.gmane.org>> wrote:
Here's the risk I calculated to the CVSS, this is a pretty common score for DoS attacks. This is based off the CIA triad, since a DoS attack compromises Integrity and Accessibility, they usually get pretty high up there score wise.
CVSS Base Score
9.4
Impact Subscore
9.2
Exploitability Subscore
10
CVSS Temporal Score
9.4
CVSS Environmental Score
10
Modified Impact Subscore
10
Overall CVSS Score
10
Show Equation<http://nvd.nist.gov/cvss.cfm?calculator&version=2#score>
On Sun, Sep 7, 2014 at 11:40 AM, Gregory Disney <gregory.disney-***@public.gmane.org<mailto:gregory.disney-***@public.gmane.org>> wrote:
Calculate the risk for your self, http://nvd.nist.gov/cvss.cfm?calculator&version=2. No where are points dropped because environment is development versus production. It's fine, it's is a do not fix on your half. I will have to file a CVE again st Flask though to alert developers using Flask of this vulnerability. If you wish to work on a mitigation, we can hold off on the CVE till a mitigation is found.
On Sun, Sep 7, 2014 at 7:47 AM, Matthias Urlichs <matthias-+qxcz+***@public.gmane.org<mailto:matthias-+qxcz+***@public.gmane.org>> wrote:
Hi,
Post by Armin RonacherWe do not have the resources (and we do not believe it's in the best
interest of us) to maintain a production grade HTTP server.
I'd re-word that a bit more strongly:
We do believe that it's _not_ in our best interest to maintain (yet
another) production-grade HTTP server, given the fact that there already
are quite a few of them available.
--
-- Matthias Urlichs
De informatie in dit e-mailbericht en eventuele bijlagen is vertrouwelijk en is alleen bestemd voor de beoogde ontvanger(s). Indien u dit bericht ten onrechte heeft ontvangen, wordt u verzocht de verzender daarvan in kennis te stellen en het bericht te vernietigen. Het is niet toegestaan de hierin opgenomen informatie op welke wijze dan ook te gebruiken of openbaar te maken. The information contained in this e-mail, including possible attachments, is confidential and is solely for the use of the intended recipient(s). Should you have received this e-mail unintentionally you are then requested to inform the sender and to destroy the message.It is prohibited to use or disclose the information this message contains in whatsoever way.