[jira] [Updated] (DRILL-7351) WebUI is Vulnerable to CSRF

Don Perial (JIRA) Sun, 18 Aug 2019 19:17:11 -0700


     [ 
https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Don Perial updated DRILL-7351:
------------------------------
    Attachment: Screen Shot 2019-08-19 at 10.11.50 AM.png

> WebUI is Vulnerable to CSRF
> ---------------------------
>
>                 Key: DRILL-7351
>                 URL: https://issues.apache.org/jira/browse/DRILL-7351
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.16.0
>            Reporter: Don Perial
>            Priority: Major
>         Attachments: Screen Shot 2019-08-19 at 10.11.50 AM.png, 
> drill-csrf.html
>
>
> There is no way to protect the WebUI from CSRF and the fact that the value 
> for the access-control-allow-origin header is '*' appears to confound this 
> issue as well.
> The attached file demonstrates the vulnerability.
> Steps to replicate:
> 1. Edit the attached [^drill-csrf.html]



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Updated] (DRILL-7351) WebUI is Vulnerable to CSRF

Reply via email to