[ https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Don Perial updated DRILL-7351: ------------------------------ Description: There is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well. The attached file demonstrates the vulnerability. Steps to replicate: 1. Edit the attached [^drill-csrf.html] was: There is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well. The attached file demonstrates the vulnerability. Preconditions: Steps to replicate: Pre > WebUI is Vulnerable to CSRF > --------------------------- > > Key: DRILL-7351 > URL: https://issues.apache.org/jira/browse/DRILL-7351 > Project: Apache Drill > Issue Type: Bug > Components: Web Server > Affects Versions: 1.16.0 > Reporter: Don Perial > Priority: Major > Attachments: drill-csrf.html > > > There is no way to protect the WebUI from CSRF and the fact that the value > for the access-control-allow-origin header is '*' appears to confound this > issue as well. > The attached file demonstrates the vulnerability. > Steps to replicate: > 1. Edit the attached [^drill-csrf.html] -- This message was sent by Atlassian JIRA (v7.6.14#76016)