Closed jackieklaura closed 8 months ago
digininja
commented
8 months ago I like the idea of this fix, especially as it adds extra security to a deliberately insecure thing.
The only thing I'm worried about is if people are using this already to build labs, the change will break things for them. I don't like breaking changes.
@JGillam You use DVWA in your labs, would this break things for you or would you have a custom compose file by now?
JGillam
commented
8 months ago @digininja Thanks for the mention! I reviewed this change and I don't think this will impact the way samuraiwtf / katana uses DVWA because though we use the DVWA container, we have a custom-built compose file for the lab environment rather than using the DVWA compose file.
digininja
commented
8 months ago In which case, PR accepted. Thanks @JGillam for the review and thanks @jackieklaura for sending it.
If this does break things for anyone, let me know and we will see what we can do.
If the docker port mapping does not use a specific IP, it the port will be opened for all available network devices. This might be potentially dangerous, because people who just quickly want to try out the DVWA are not always aware of this issue. Nevertheless anyone on their local network could then access the DVWA inside the container.
Therefore this commit changes the default to be mapped to the same port only on the local loopback device as the safer default, and adds a short explanation in the respectice section in README, so that people can make it available on all network devices, if they really need to.