rubenSastre opened a new issue #10411: URL: https://github.com/apache/incubator-superset/issues/10411
The form_data send on a request, could be modified by a "gamma" user and read all the content from the database. By modifying the request, we are able to forge our own query and interact with the current database in a manner not provided by the application. For instance, we can get, the current database, the current user, the database version. By modifying the "datasource" parameter (which is in the format XX_table, where XX is the ID, we can list all the tables connected with superset. ### Screenshots Getting all the tables by changing the ID on XX_table:  Finding the database and version:  Changing tables and values to add on the query:  - superset version: `0.35` - python version: `3.6` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
