Dokploy Clickjacking Vulnerability Due to Missing Frame-Busting Headers
Vulnerability
A Clickjacking vulnerability has been identified in the Dokploy web interface, affecting versions prior to 0.26.6. The issue arises from the absence of frame-busting headers, allowing attackers to embed Dokploy pages in malicious iframes. This could deceive authenticated users into performing unintended actions. The vulnerability was discovered using the WhiteHack security scanner.
Impact
Exploitation of this vulnerability could allow attackers to manipulate authenticated administrators into making changes to deployment configurations, deleting applications or services, altering security settings, or managing user accounts.
Reproduction
To reproduce this vulnerability, create an HTML file that includes an iframe pointing to a Dokploy instance on port 3000. The iframe should be styled to be nearly invisible, covering a button placed on top of it. After hosting this file on an attacker-controlled server, an authenticated Dokploy user can be tricked into visiting the page, inadvertently clicking through to the embedded Dokploy interface.
Remediation
Users can update to Dokploy version 0.26.6 or later, where this vulnerability has been patched.