Hi Don,
The one saving grace is that no one should ever host the Drill web UI on a
public-facing web site. The UI provides lots of admin operations that one would
not really want to expose openly.
A much better solution would be to wrap Drill in a custom-made web app that
controls what someone can do; the same way that a DB is exposed via a custom
app, not by a public-facing PhpMyAdmin...
Still, this should be fixed. Please file a JIRA with your findings.
Thanks,
- Paul
On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial
<[email protected]> wrote:
It seems that there is no way to protect the WebUI from CSRF and the fact that
the value for the access-control-allow-origin header is '*' appears to confound
this issue as well. I have searched the documentation and also did quite a bit
of Googling but have not seen any references to this. Is this known and/or
intended behavior?
The attached file should demonstrate the (elementary) attack.
Thanks In advance,
P
