[
https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Don Perial updated DRILL-7351:
------------------------------
Description:
There is no way to protect the WebUI from CSRF and the fact that the value for
the access-control-allow-origin header is '*' appears to confound this issue as
well.
The attached file demonstrates the vulnerability.
Steps to replicate:
1. Edit the attached [^drill-csrf.html]
was:
There is no way to protect the WebUI from CSRF and the fact that the value for
the access-control-allow-origin header is '*' appears to confound this issue as
well.
The attached file demonstrates the vulnerability.
Preconditions:
Steps to replicate:
Pre
> WebUI is Vulnerable to CSRF
> ---------------------------
>
> Key: DRILL-7351
> URL: https://issues.apache.org/jira/browse/DRILL-7351
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.16.0
> Reporter: Don Perial
> Priority: Major
> Attachments: drill-csrf.html
>
>
> There is no way to protect the WebUI from CSRF and the fact that the value
> for the access-control-allow-origin header is '*' appears to confound this
> issue as well.
> The attached file demonstrates the vulnerability.
> Steps to replicate:
> 1. Edit the attached [^drill-csrf.html]
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
