|
|
|
|
|
|
by djwelch666
5366 days ago
|
|
|
This is dangerous! Someone has left the debug=true in the config somewhere. Anything could be possible on the site, not just the script injection in the url and the debug page, but a lot of other stuff as well. When the debug flag is true on our sites, we have a link which will authenticate us as an admin without any credentials for example! |
|
|
Well, get rid of that and push for a change in your company's workflow. This kind of control shouldn't be deployable to the main servers at all.
Have separate, staging servers and run your tests and debugging interfaces on it, but as much as possible, don't deploy administrator interfaces to the servers that talk to the customer. [1]
[1] I'm undecided which kinds of heisenbugs would justify breaking that lemma.