You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by Don Perial <pe...@gmail.com> on 2019/08/16 03:32:56 UTC

WebUI is Vulnerable to CSRF?

It seems that there is no way to protect the WebUI from CSRF and the fact
that the value for the access-control-allow-origin header is '*' appears to
confound this issue as well. I have searched the documentation and also did
quite a bit of Googling but have not seen any references to this. Is this
known and/or intended behavior?

The attached file should demonstrate the (elementary) attack.

Thanks In advance,

P

Re: WebUI is Vulnerable to CSRF?

Posted by Don Perial <pe...@gmail.com>.

Thanks Paul. Filed DRILL-7351 for this.

It's worth noting that hosting a web app (such as the Drill web UI) does
not prevent CSRF attacks as a malicious web site can still attempt to call
into private/non-public websites (eg. from Javascript in the browser), it
may not get access to the reply but even then can trigger a mutation (eg. a
POST request) on the private web app.

Best regards,

Dondi

On Fri, Aug 16, 2019 at 11:58 AM Paul Rogers <pa...@yahoo.com.invalid>
wrote:

> Hi Don,
>
> The one saving grace is that no one should ever host the Drill web UI on a
> public-facing web site. The UI provides lots of admin operations that one
> would not really want to expose openly.
>
>
> A much better solution would be to wrap Drill in a custom-made web app
> that controls what someone can do; the same way that a DB is exposed via a
> custom app, not by a public-facing PhpMyAdmin...
>
> Still, this should be fixed. Please file a JIRA with your findings.
>
> Thanks,
> - Paul
>
>
>
>     On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial <
> perialdon@gmail.com> wrote:
>
>  It seems that there is no way to protect the WebUI from CSRF and the fact
> that the value for the access-control-allow-origin header is '*' appears to
> confound this issue as well. I have searched the documentation and also did
> quite a bit of Googling but have not seen any references to this. Is this
> known and/or intended behavior?
> The attached file should demonstrate the (elementary) attack.
>
> Thanks In advance,
> P
>

Re: WebUI is Vulnerable to CSRF?

Posted by Paul Rogers <pa...@yahoo.com.INVALID>.

Hi Don,

The one saving grace is that no one should ever host the Drill web UI on a public-facing web site. The UI provides lots of admin operations that one would not really want to expose openly.


A much better solution would be to wrap Drill in a custom-made web app that controls what someone can do; the same way that a DB is exposed via a custom app, not by a public-facing PhpMyAdmin...

Still, this should be fixed. Please file a JIRA with your findings.

Thanks,
- Paul

 

    On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial <pe...@gmail.com> wrote:  
 
 It seems that there is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well. I have searched the documentation and also did quite a bit of Googling but have not seen any references to this. Is this known and/or intended behavior?
The attached file should demonstrate the (elementary) attack.

Thanks In advance,
P