In the second half of 2009 I was working in European Organization for Nuclear Research (CERN). For some time I was part of GRID development team. One of our product was/is DPM server. What is DPM? LCG Disk Pool Manager (DPM) has been developed as part of the LCG project to provide a light-weight implementation of an SRM compliant Storage Element (SE). Since gLite 3.0 it is a standard gLite component, distributed and maintained as part of the gLite release.
DPM is a disk only SE, instead of a disk + MSS implementation like dCache or Castor. It may act as a replacement for the deprecated classic SE with the following advantages :
- SRM interface (both v1.1 and v2.2)
- Better scalability : DPM is allow to manage 100+ TB distributing the load over several servers
- High performances
- Light-weight management
At this time I found serious multiple SQL Injection vulnerabilities in this specific software. I wrote extra layer of protection for DPM which secure software from any similar attack and this layer was responsible for doing extra security checks. Unfortunately because of our internal reorganization patch wasn’t integrated with official release of DPM.
On March 2013 (2013-03-05) SVG team (The EGI Software Vulnerability Group (SVG)) published official advisory about my vulnerabilities and of course DPM software is now secured 🙂
In the following list you can find related references:
- My official advisory is available here.
- SVG official advisory is available here.
- This blog post is available here 🙂
I would like to thanks David Smith whose allowed me to work on DPM and provided necessary infrastructure and knowledge not only at this topic 🙂