DockerUI, a third-party Web interface for the popular software containerization system, has "multiple persistent [security] vulnerabilities," according to research conducted by Vulnerability Lab.
Vulnerability Lab reported two separate issues in the most recent build of DockerUI, 0.10.0. Although still in beta, it has "multiple persistent input validation web vulnerabilities" and "is vulnerable to a CSRF attack," according to Vulnerability Lab. Worse, one of the attacks can be launched by anyone who has basic user access to DockerUI.
With the second issue, a cross-site request forgery (CSRF) attack, if a user of DockerUI can be tricked into clicking on a specially crafted URL, the attacker could execute commands in DockerUI and, for example, kill containers, add or delete volumes, and so on. Vulnerability Lab reports this problem is "present across all the state changing operations" in the application.
Both classes of attack are well-understood in the Web application world and are not hard to defend against. CSRFscan be prevented by requiring a token with any state-changing request. XSS attacks can be mitigated by always considering user-supplied data to be untrustworthy and by using templates to render data in an escaped format.
Popular Web applications like WordPress have been some of the biggest targets for attacks of this kind and have been forced to become proactive in preventing these problems. The stakes there are high; after all, WordPress powers approximately 25 percent of all websites.
Web apps that don't have such broad audiences, like DockerUI, might be more vulnerable to these kinds of problems if their creators aren't versed in Web security issues or don't consider their apps to be likely targets for malicious actors. But all it takes is one mistakenly clicked link to disprove that assumption.
Sign up for CIO Asia eNewsletters.