Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'Low' RISK - FTS3 - Lack of Authorization on config 


Date:        2014-08-05 



A vulnerability has been found in FTS-3 [R 1] where configuration commands are not 


This has been fixed by the FTS-3 team some time ago.

FTS-2 is not affected.  

As it was fixed a long time ago, and it's unlikely that sites are running insecure 

versions, this is not sent to sites but only placed on the wiki. 


A vulnerability has been found in FTS-3 where configuration commands are not 
properly authorized.

Additionally, in some circumstances a suspended or banned user may be able to carry 
out configuration commands if they were able to carry out such commands prior to the

This was fixed by the FTS-3 team. 

This is included for completeness only on the wiki as it was fixed a long time ago, 

and the SVG was not aware that it was fixed. 

FTS-2 which is available in UMD-2 is not affected. 

Risk category

These issues has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team

Affected software


It is possible that the version on the EMI-3 site is still vulnerable, but that has 

not been confirmed.

Component installation information

Software is available at the FTS-3 site.  


If sites are using FTS-3 have not upgraded since 

If sites are using FTS-3 from EMI-3 they should consider migrating to 


This vulnerability was reported by Simon Fayer from Imperial College, London. 


[R 1]


2013-07-10 Vulnerability reported by Simon Fayer 
2013-07-11 Acknowledgement from the EGI SVG to the reporter
2013-07-12 Software providers involved in investigation
2013-07-15 Situation clarified by software providers and actions agreed
2013-08-21 Assessment by the EGI Software Vulnerability Group reported to the software 
2013-07-15 Updated packages available at FTS-3 site 
2014-08-04 Status update of vulnerability ticket requested, as close to TD
           found fixed immediately the team were alerted to the problem. 
2014-08-05 Public disclosure