I wrote this elsewhere, but this is how Patreon created a problem for themselves.
It's pretty easy to enable debug within Werkzeug but it isn't enabled by default. It's also not by default listening on "0.0.0.0" but rather instead by default "127.0.0.1".
Here's exactly what they did in the code (this is straight from the dump):
Then in the patreon.config.debug string, it had a true statement:web_app.debug = patreon.config.debug web_app.run('0.0.0.0', port=args.port, use_reloader=False)
Whoever enabled this server wouldn't have fed arguments to enable it as it was hard-coded into the application. All someone had to do was just type "python patreonweb.py" and the server would be ready to go with debug-mode enabled.debug = True
Detectify Labs wrote a blog entry and linked to a previous one of mine. Don't enable debug on Internet-facing servers and if you can help it don't enable it to listen on "0.0.0.0" either.