The MATLAB®Web App Server has no specific mechanism to prevent HTTP request capture and replay.
The server has no mechanism for authentication or authorization other than HTTPS.
Any user with access to the network can run any application created with this software and read any data the application is authorized to access.
Both the server and applications run under the same low-privileged user account.
If multiple copies of the same application run simultaneously, they might interfere with each other. This situation happens if the application writes data to any shared resource, for example, a file or a nonconcurrent database.
Installation of the MATLAB Web App Server creates the low-privileged user account on the host machine.
This low-privileged account may inherit privileges given to all users. Care should be taken to restrict privileges given to all users.
When deploying multiple applications to the server cookies are shared across sessions which may result in crosstalk between applications for a single user accessing more than one application.
This situation could allow unintentional crosstalk between multiple applications run by the same user.
Deployed web applications are potentially vulnerable to
data or code injection
attacks whereby malicious or malformed inputs can be used to attempt to
subvert the system. The server does not contain explicit protection
against either type of injection attack. Certain MATLAB features, particularly the
function, can increase the risk of injection attacks. A common
countermeasure is input sanitization or input whitelisting. MATLAB contains functions like
regexrep() that can assist in validating
Your application may indirectly call
eval(), potentially making it vulnerable to
Other MATLAB functions may exhibit the same code injection vulnerabilities; any function that processes code-like input (XML, SQL, JSON, to name a few) is potentially vulnerable to code injection.
Any application that accesses the operating system via
unix() commands might also be vulnerable
to code injection.
This is a list of known risks and is not meant to be comprehensive.