Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'High' Risk - Dirac SQL injection vulnerability [EGI-SVG-2014-7553]

Date:        2015-05-13
Updated:     2015-08-13



An SQL injection vulnerability has been found in Dirac, which is exploitable by 
any authorized user and allows proxy theft.  

This has been fixed by the developers. 

Update 13th August 2015

Changed to 'White' information - this is now the production version.  


An SQL injection vulnerability has been found in Dirac, which allows an authorized
user to steal long lived proxies from other clients in the same Dirac server, possibly 
including clients in other VOs.  This allows the possibility of tampering
with data, and impersonation of another user.  An exploit has been written by the reporter, 
and the developers confirmed that this vulnerability exists as described.

Risk category

This issue has been assessed as 'High' Risk by the EGI SVG Risk Assessment Team. 

Affected software

Dirac versions prior to v6r13

This vulnerability is fixed in Dirac v6r13



Component installation information

See [R 1] 


Sites are recommended to update relevant components as soon as possible.


This vulnerability was reported by Simon Fayer from Imperial College, London.


[R 1]


2014-10-14 Vulnerability reported by Simon Fayer from SVG
2014-10-27 Software providers responded and involved in investigation
2014-11-07 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-05-08 Updated packages available 
2015-05-13 Advisory sent to sites
2015-08-13 Updated as fixed version is now the production version and placed on wiki