Third-party Web UI for Docker has major security flaws
DockerUI, a third-party Web interface for the popular software containerization system, has “multiple persistent [security] vulnerabilities,” according to research conducted by Vulnerability Lab.
Vulnerability Lab reported two separate issues in the most recent build of DockerUI, 0.10.0. Although still in beta, it has “multiple persistent input validation web vulnerabilities” and “is vulnerable to a CSRF attack,” according to Vulnerability Lab. Worse, one of the attacks can be launched by anyone who has basic user access to DockerUI.
The first issue, a cross-site scripting (XSS) attack, allows a user to embed live JavaScript data as the name of a volume or driver managed by DockerUI. Any other user of DockerUI who encounters the tainted volume name in DockerUI will have the script run in their browser. Attacks like these are common with Web applications that neglect to ensure that user-submitted data doesn’t contain payloads like JavaScript.
With the second issue, a cross-site request forgery (CSRF) attack, if a user of DockerUI can be tricked into clicking on a specially crafted URL, the attacker could execute commands in DockerUI and, for example, kill containers, add or delete volumes, and so on. Vulnerability Lab reports this problem is “present across all the state changing operations” in the application.
Both classes of attack are well-understood in the Web application world and are not hard to defend against. CSRFs can be prevented by requiring a token with any state-changing request. XSS attacks can be mitigated by always considering user-supplied data to be untrustworthy and by using templates to render data in an escaped format.
Popular Web applications like WordPress have been some of the biggest targets for attacks of this kind and have been forced to become proactive in preventing these problems. The stakes there are high; after all, WordPress powers approximately 25 percent of all websites.
Web apps that don’t have such broad audiences, like DockerUI, might be more vulnerable to these kinds of problems if their creators aren’t versed in Web security issues or don’t consider their apps to be likely targets for malicious actors. But all it takes is one mistakenly clicked link to disprove that assumption.
Source | InfoWorld
