EGI SVG Advisories

Advisory-SVG-2016-11107

Title:   EGI SVG Advisory [TLP:WHITE] 'Moderate' Risk: XSS in DIRAC Webapp and
         Web portal [EGI-SVG-2016-11107]

Date:    2016-10-21
Updated:


Affected Software and Risk
==========================

Moderate risk vulnerability concerning XSS in DIRAC Webapp and Web portal

Package : DIRAC Webapp and Web portal


Actions Required/Recommended
============================

Sites are recommended to update relevant components, if they have not done so
since

25th August 2016 when the patched version was made available.

Affected software Details.
==========================

Versions of DIRAC prior to v6r15 are affected.


More information
================

The reporter of the vulnerability stated that he was able to carry out an
exploit, where an authenticated user could escalate their privilege.


Component installation information
==================================

See [R 1], Information on the XSS vulnerability is at [R 2]

TLP and URL
===========

** WHITE information - Unlimited distribution                               **
** see https://go.egi.eu/tlp for distribution restrictions **

URL:   https://advisories.egi.eu/Advisory-SVG-2016-11107

Minor updates may be made without re-distribution to the sites

Credit
======

This vulnerability was reported by Simon Fayer from Imperial College, London.

References
==========

[R 1] https://github.com/DIRACGrid/DIRAC/wiki

[R 2] https://github.com/DIRACGrid/WebAppDIRAC/pull/251

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may

report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look.


Timeline
========

Yyyy-mm-dd  [EGI-SVG-2016-11107]

2016-05-17 Vulnerability reported by Simon Fayer who is a member of SVG.
2016-05-17 Software providers responded and involved in investigation
2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting.
2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the
           software providers
2016-08-08 Updated packages available on the DIRAC website
2016-10-18 SVG asked whether it has been fixed, confirmed that it was
2016-10-21 Advisory/Alert sent to sites
2016-10-21 Public disclosure


On behalf of the EGI SVG,