Hi Don,

The one saving grace is that no one should ever host the Drill web UI on a 
public-facing web site. The UI provides lots of admin operations that one would 
not really want to expose openly.

A much better solution would be to wrap Drill in a custom-made web app that 
controls what someone can do; the same way that a DB is exposed via a custom 
app, not by a public-facing PhpMyAdmin...

Still, this should be fixed. Please file a JIRA with your findings.

- Paul


    On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial 
<perial...@gmail.com> wrote:  
 It seems that there is no way to protect the WebUI from CSRF and the fact that 
the value for the access-control-allow-origin header is '*' appears to confound 
this issue as well. I have searched the documentation and also did quite a bit 
of Googling but have not seen any references to this. Is this known and/or 
intended behavior?
The attached file should demonstrate the (elementary) attack.

Thanks In advance,

Reply via email to