Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7351

WebUI is Vulnerable to CSRF

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.16.0
    • Fix Version/s: 1.17.0
    • Component/s: Web Server
    • Labels:

      Description

      There is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well.

      The attached file demonstrates the vulnerability.

      Steps to replicate:

      1. Login to an instance of the Drill WebUI.
      2. Edit the attached drill-csrf.html. Replace DRILL_HOST with the hostname of the Drill WebUI from step #1.
      3. Load the file from #2 in the same browser as #1 either new tab or same window will do.
      4. Return to the Drill WebUI and click on 'Profiles'.

      Observed results:

      The query 'SELECT 100' appears in the list of executed queries (see: Screen Shot 2019-08-19 at 10.11.50 AM.png ).

      Expected results:

      It should be possible to whitelist or completely restrict code from other domain names to submit queries to the WebUI.

      Risks:

      Potential for code execution by unauthorized parties.

       

       

        Attachments

        1. drill-csrf.html
          0.3 kB
          Don Perial
        2. Screen Shot 2019-08-19 at 10.11.50 AM.png
          58 kB
          Don Perial

          Issue Links

          links to

          Web Link GitHub Pull Request #1864

            Activity

              People

              • Assignee:
                angozhiy Anton Gozhiy
                Reporter:
                perialdon Don Perial
                Reviewer:
                Arina Ielchiieva
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: