Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM) : pi3 blog

In the second half of 2009 I was working in European Organization for Nuclear Research (CERN). For some time I was part of GRID development team. One of our product was/is DPM server. What is DPM? LCG Disk Pool Manager (DPM) has been developed as part of the LCG project to provide a light-weight implementation of an SRM compliant Storage Element (SE). Since gLite 3.0 it is a standard gLite component, distributed and maintained as part of the gLite release.

DPM is a disk only SE, instead of a disk + MSS implementation like dCache or Castor. It may act as a replacement for the deprecated classic SE with the following advantages :

  • SRM interface (both v1.1 and v2.2)
  • Better scalability : DPM is allow to manage 100+ TB distributing the load over several servers
  • High performances
  • Light-weight management

Not everyone is familiar with GRID technology and terms used in their community. If you want to get more knowledge please navigate to the following resources here and also here.

At this time I found serious multiple SQL Injection vulnerabilities in this specific software. I wrote extra layer of protection for DPM which secure software from any similar attack and this layer was responsible for doing extra security checks. Unfortunately because of our internal reorganization patch wasn’t integrated with official release of DPM.

On March 2013 (2013-03-05) SVG team (The EGI Software Vulnerability Group (SVG)) published official advisory about my vulnerabilities and of course DPM software is now secured 🙂

In the following list you can find related references:

  1. My official advisory is available here.
  2. SVG official advisory is available here.
  3. This blog post is available here 🙂

 

I would like to thanks David Smith whose allowed me to work on DPM and provided necessary infrastructure and knowledge not only at this topic 🙂

 

Best regards,

Adam

 

Comments

  1. Jakub on 03.11.2013

    No bez kitu dobry tajmlajn 😉

  2. admin on 03.11.2013

    @Jakub: Hehe… nie da sie ukryc 😉

  3. Uthay Suthakar on 10.08.2013

    Hello Adam,

    That’s indeed a great discovery and congratulations! I’m trying create a network with people who have dealt with DPM, in order to get more clear picture of the project. I would like to discuss with you about the DPM and my research. Please get in touch with me via email.

    Many thanks.

    Kind regards,

    Uthay.

  4. pi3 on 10.09.2013

    Unfortunately I do not play anymore with DPM. Please ping official DPM support list…

  5. US on 10.09.2013

    Many thanks for your prompt response. I’ll try to get in touch with the Support team. I just have a quick question, Is there any way we could change the config of DPM to listen to a different databse, for example from MySQL to PostgreSQL, on the fly? I couldn’t see any config would do that but I just wanted to confirm with you, please only respond if you remember.

    Many thanks

  6. pi3 on 10.10.2013

    DPM supports MySQL, PostgreSQL and Oracle as well. You should have enabled (compiled) these functionality if you want to use it and then play with config. Supporting list contacts you can find here:
    https://twiki.cern.ch/twiki/bin/view/LCG/SupportContacts

  7. US on 10.10.2013

    Many thanks Adam for your swift replies.

Leave a Reply




CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.