[
https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16910132#comment-16910132
]
Don Perial commented on DRILL-7351:
-----------------------------------
[~angozhiy] apologies. I assumed the description as a CSRF vulnerability + the
attached code would suffice. Anyway, added steps and risks to the description
above.
> WebUI is Vulnerable to CSRF
> ---------------------------
>
> Key: DRILL-7351
> URL: https://issues.apache.org/jira/browse/DRILL-7351
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.16.0
> Reporter: Don Perial
> Priority: Major
> Attachments: Screen Shot 2019-08-19 at 10.11.50 AM.png,
> drill-csrf.html
>
>
> There is no way to protect the WebUI from CSRF and the fact that the value
> for the access-control-allow-origin header is '*' appears to confound this
> issue as well.
> The attached file demonstrates the vulnerability.
> Steps to replicate:
> # Login to an instance of the Drill WebUI.
> # Edit the attached [^drill-csrf.html]. Replace DRILL_HOST with the hostname
> of the Drill WebUI from step #1.
> # Load the file from #2 in the same browser as #1 either new tab or same
> window will do.
> # Return to the Drill WebUI and click on 'Profiles'.
> Observed results:
> The query 'SELECT 100' appears in the list of executed queries (see:
> [^Screen Shot 2019-08-19 at 10.11.50 AM.png] ).
> Expected results:
> It should be possible to whitelist or completely restrict code from other
> domain names to submit queries to the WebUI.
> Risks:
> Potential for code execution by unauthorized parties.
>
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
