[jira] [Updated] (DRILL-7351) WebUI is Vulnerable to CSRF

[Don Perial (JIRA)]

     [ 
https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Don Perial updated DRILL-7351:
------------------------------
    Description: 
There is no way to protect the WebUI from CSRF and the fact that the value for 
the access-control-allow-origin header is '*' appears to confound this issue as 
well.

The attached file demonstrates the vulnerability.

Steps to replicate:
 # Login to an instance of the Drill WebUI.
 # Edit the attached [^drill-csrf.html]. Replace DRILL_HOST with the hostname 
of the Drill WebUI from step #1.
 # Load the file from #2 in the same browser as #1 either new tab or same 
window will do.
 # Return to the Drill WebUI and click on 'Profiles'.

Observed results:

The query 'SELECT 100' appears in the list of executed queries (see:  [^Screen 
Shot 2019-08-19 at 10.11.50 AM.png] ).

Expected results:

It should be possible to whitelist or completely restrict code from other 
domain names to submit queries to the WebUI.

Risks:

Potential for code execution by unauthorized parties.

 

 

  was:
There is no way to protect the WebUI from CSRF and the fact that the value for 
the access-control-allow-origin header is '*' appears to confound this issue as 
well.

The attached file demonstrates the vulnerability.

Steps to replicate:

1. Edit the attached [^drill-csrf.html]


> WebUI is Vulnerable to CSRF
> ---------------------------
>
>                 Key: DRILL-7351
>                 URL: https://issues.apache.org/jira/browse/DRILL-7351
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.16.0
>            Reporter: Don Perial
>            Priority: Major
>         Attachments: Screen Shot 2019-08-19 at 10.11.50 AM.png, 
> drill-csrf.html
>
>
> There is no way to protect the WebUI from CSRF and the fact that the value 
> for the access-control-allow-origin header is '*' appears to confound this 
> issue as well.
> The attached file demonstrates the vulnerability.
> Steps to replicate:
>  # Login to an instance of the Drill WebUI.
>  # Edit the attached [^drill-csrf.html]. Replace DRILL_HOST with the hostname 
> of the Drill WebUI from step #1.
>  # Load the file from #2 in the same browser as #1 either new tab or same 
> window will do.
>  # Return to the Drill WebUI and click on 'Profiles'.
> Observed results:
> The query 'SELECT 100' appears in the list of executed queries (see:  
> [^Screen Shot 2019-08-19 at 10.11.50 AM.png] ).
> Expected results:
> It should be possible to whitelist or completely restrict code from other 
> domain names to submit queries to the WebUI.
> Risks:
> Potential for code execution by unauthorized parties.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)