There is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well.
The attached file demonstrates the vulnerability.
Steps to replicate:
- Login to an instance of the Drill WebUI.
- Edit the attached drill-csrf.html. Replace DRILL_HOST with the hostname of the Drill WebUI from step #1.
- Load the file from #2 in the same browser as #1 either new tab or same window will do.
- Return to the Drill WebUI and click on 'Profiles'.
The query 'SELECT 100' appears in the list of executed queries (see: Screen Shot 2019-08-19 at 10.11.50 AM.png ).
It should be possible to whitelist or completely restrict code from other domain names to submit queries to the WebUI.
Potential for code execution by unauthorized parties.