The MATLAB® Web App Server™ has no specific mechanism to prevent HTTP request capture and replay.
The development version of MATLAB Web App Server has no mechanism for authentication or authorization other than HTTPS.
Any user with access to the network can run any application created with this software and read any data the application is authorized to access.
If you want authentication and role-based access capabilities, you need to purchase the MATLAB Web App Server product.
Installation of the MATLAB Web App Server creates two low-privileged user accounts on the host machine.
These low-privileged accounts may inherit privileges given to all users. Care should be taken to restrict privileges given to all users.
While the server and applications run under two different low-privileged user accounts, all applications hosted by the server run under the same low-privileged user account.
If multiple copies of the same application run simultaneously, they might interfere with each other. This situation happens if the application writes data to any shared resource, for example, a file or a non-concurrent database.
When deploying multiple applications to the server, the server shares cookies across sessions, which can result in crosstalk between applications for a single user accessing more than one application.
This situation could allow unintentional crosstalk between multiple applications run by the same user.
Deployed web applications are potentially vulnerable to data or code injection attacks whereby malicious or malformed inputs can be used to attempt to subvert the system. The server does not contain explicit protection against either type of injection attack. Certain MATLAB features, particularly the
eval()function, can increase the risk of injection attacks. A common countermeasure is input sanitization or input whitelisting. MATLAB contains functions like
regexprepthat can assist in validating untrusted input.
Your application may indirectly call
eval(), potentially making it vulnerable to code-injection attacks.
Other MATLAB functions may exhibit the same code injection vulnerabilities; any function that processes code-like input (XML, SQL, JSON, to name a few) is potentially vulnerable to code injection.
Any application that accesses the operating system via MATLAB
unix()commands might also be vulnerable to code injection.
MwWebAppWorkerR2023baccount has access to the
appsfolder on the server and therefore any web app that is running can potentially read the contents of the other
.ctffiles in the folder. This is true even if you use authorization. So you have to assume that every user with a role of
Authorhas the potential to get a copy of every other app if they are willing to try hard enough.
This list identifies known risks and is not meant to be comprehensive.