-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.16.0
-
Fix Version/s: 1.17.0
-
Component/s: Web Server
-
Labels:
There is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well.
The attached file demonstrates the vulnerability.
Steps to replicate:
- Login to an instance of the Drill WebUI.
- Edit the attached drill-csrf.html
. Replace DRILL_HOST with the hostname of the Drill WebUI from step #1.
- Load the file from #2 in the same browser as #1 either new tab or same window will do.
- Return to the Drill WebUI and click on 'Profiles'.
Observed results:
The query 'SELECT 100' appears in the list of executed queries (see: Screen Shot 2019-08-19 at 10.11.50 AM.png ).
Expected results:
It should be possible to whitelist or completely restrict code from other domain names to submit queries to the WebUI.
Risks:
Potential for code execution by unauthorized parties.
- links to