Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

SRMWatch vulnerability

Summary

SRMWatch contains an SQL injection attack that can allow malicious users to steal private data including proxy certificates.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2007-05-31

Description

A arbitrary SQL injection exploit has been found in SRM Watch, a tool for monitoring transfers in SRM-dCache. By default SRM Watch is not able to modify the database, however private data, in particular user proxies, can be accessed. If SRM Watch were allowed write permission (which may be the case in some installations), the SRM database could additionally be corrupted, rendering, SRM server non-operational.

This problem exists in srmwatch as packaged in the VDT packaging of dCache.

Solution

Please disable SRM Watch until a patch is available. To do so, run the following commands while SRM is still running.

> cd /opt/d-cache/srmwatch-1.0 
> ./undeploy_srmwatch while srm is

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.