Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2016-11107

From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2016-11107



Title:       EGI SVG Advisory [TLP:WHITE] 'Moderate' Risk: XSS in DIRAC Webapp and Web portal [EGI-SVG-2016-11107]  

Date:        2016-10-21 
Updated:     


Affected Software and Risk
==========================

Moderate risk vulnerability concerning XSS in DIRAC Webapp and Web portal

Package : DIRAC Webapp and Web portal


Actions Required/Recommended
============================

Sites are recommended to update relevant components, if they have not done so since 

25th August 2016 when the patched version was made available.  

Affected software Details.
==========================

Versions of DIRAC prior to v6r15 are affected.


More information
================

The reporter of the vulnerability stated that he was able to carry out an exploit, 
where an authenticated user could escalate their privilege.


Component installation information
==================================

See [R 1], Information on the XSS vulnerability is at [R 2]

TLP and URL
===========

** WHITE information - Unlimited distribution                               **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **  

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11107  

Minor updates may be made without re-distribution to the sites

Credit
======

This vulnerability was reported by Simon Fayer from Imperial College, London. 

References
==========

[R 1] https://github.com/DIRACGrid/DIRAC/wiki

[R 2] https://github.com/DIRACGrid/WebAppDIRAC/pull/251

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may 

report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look.  


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2016-11107] 

2016-05-17 Vulnerability reported by Simon Fayer who is a member of SVG. 
2016-05-17 Software providers responded and involved in investigation
2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting.
2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the software providers 
2016-08-08 Updated packages available on the DIRAC website
2016-10-18 SVG asked whether it has been fixed, confirmed that it was 
2016-10-21 Advisory/Alert sent to sites
2016-10-21 Public disclosure


On behalf of the EGI SVG,
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2016-11107&oldid=91066"