CVE-2011-4970
Description
Multiple SQL injection vulnerabilities in LCG Disk Pool Manager (DPM) before 1.8.6, as used in EGI UDM, allow remote attackers to execute arbitrary SQL commands via the (1) r_token variable in the dpm_get_pending_req_by_token, (2) dpm_get_cpr_by_fullid, (3) dpm_get_cpr_by_surl, (4) dpm_get_cpr_by_surls, (5) dpm_get_gfr_by_fullid, (6) dpm_get_gfr_by_surl, (7) dpm_get_pfr_by_fullid, (8) dpm_get_pfr_by_surl, (9) dpm_get_req_by_token, (10) dpm_insert_cpr_entry, (11) dpm_insert_gfr_entry, (12) dpm_insert_pending_entry, (13) dpm_insert_pfr_entry, (14) dpm_insert_xferreq_entry, (15) dpm_list_cpr_entry, (16) dpm_list_gfr_entry, or (17) dpm_list_pfr_entry function; the (18) surl variable in the dpm_get_cpr_by_surl function; the (19) to_surl variable in the dpm_get_cpr_by_surls function; the (20) u_token variable in the dpm_get_pending_reqs_by_u_desc, (21) dpm_get_reqs_by_u_desc, (22) dpm_get_spcmd_by_u_desc, (23) dpm_insert_pending_entry, (24) dpm_insert_spcmd_entry, or (25) dpm_insert_xferreq_entry function; the (26) s_token variable in the dpm_get_spcmd_by_token, (27) dpm_insert_cpr_entry, (28) dpm_insert_gfr_entry, (29) dpm_insert_pfr_entry, (30) dpm_insert_spcmd_entry, (31) dpm_update_cpr_entry, (32) dpm_update_gfr_entry, or (33) dpm_update_pfr_entry function; or remote administrators to execute arbitrary SQL commands via the (34) poolname variable in the dpm_get_pool_entry, (35) dpm_insert_fs_entry, (36) dpm_insert_pool_entry, (37) dpm_insert_spcmd_entry, (38) dpm_list_fs_entry, or (39) dpm_update_spcmd_entry function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:a:disk_pool_manager_project:disk_pool_manager:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:disk_pool_manager_project:disk_pool_manager:*:*:*:*:*:*:*:*range: <=1.8.1
- cpe:2.3:a:disk_pool_manager_project:disk_pool_manager:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:disk_pool_manager_project:disk_pool_manager:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:disk_pool_manager_project:disk_pool_manager:1.8.5:*:*:*:*:*:*:*
- (no CPE)range: <1.8.6
Patches
Vulnerability mechanics
Root cause
"User-supplied parameters (r_token, surl, to_surl, u_token, s_token, poolname) are concatenated directly into SQL queries via sprintf() without any sanitization or parameterisation."
Attack vector
An attacker with a valid certificate from a recognised CA can access the SRM interface and send crafted requests containing SQL metacharacters in token or SURL parameters [ref_id=1]. The advisory shows that passing a single quote (`'`) as the `r_token` value in an `srmGetRequestStatus` call causes the unsanitized value to be interpolated directly into SQL `SELECT` statements, producing a MySQL syntax error [ref_id=1]. Because the same pattern of unsanitized `sprintf()` is used across at least 39 functions, an attacker can inject arbitrary SQL commands via any of the listed parameters (`r_token`, `surl`, `to_surl`, `u_token`, `s_token`, `poolname`) [CWE-89] [ref_id=1].
Affected code
The advisory identifies dozens of functions in `dpm/dpm_mysql_ifce.c` that construct SQL queries by directly concatenating user-controlled variables (e.g., `r_token`, `surl`, `to_surl`, `u_token`, `s_token`, `poolname`) via `sprintf()` without any sanitization [ref_id=1]. The call chain originates from SRM interface handlers in `srmv2.2/srmv2_xferreq.c` such as `ns1__srmGetRequestSummary`, which passes the `r_token` variable to `dpm_getonereqsummary()` in `dpm/dpm_procsubr.c`, which then calls the vulnerable database functions [ref_id=1].
What the fix does
The advisory states that DPM version 1.8.6, released 19 February 2013, contains the fix [ref_id=1]. No patch diff is provided in the bundle, but the remediation must involve replacing the vulnerable `sprintf()`-based query construction with parameterised/prepared statements or proper escaping of all user-supplied values before they are embedded in SQL strings. The advisory notes that the same class of unsanitised input exists across all three supported database backends (MySQL, PostgreSQL, Oracle), so the fix likely addresses each backend uniformly [ref_id=1].
Preconditions
- authAttacker must possess a valid certificate from a recognised Certificate Authority to access the SRM interface
- configThe DPM service must be running a version prior to 1.8.6
- networkNetwork access to the SRM endpoint (typically port 8446) is required
- inputAttacker supplies SQL metacharacters in token, SURL, or poolname parameters
Reproduction
The advisory provides a proof-of-concept command: `$ ./srm2_testGetRequestStatus srm://vmgdda0013.cern.ch:8446/ \'` which sends a single quote as the request token [ref_id=1]. The SRM log confirms the injection: the query sent to MySQL becomes `WHERE r_token = '''` and MySQL returns a syntax error [ref_id=1]. The strace output from both the SRMv2.2 process and the MySQL process shows the unsanitized quote reaching the database [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-2683nvdPatchVendor Advisory
- blog.pi3.com.plnvdExploit
- www.openwall.com/lists/oss-security/2013/03/10/1nvdExploit
- secunia.com/advisories/52487nvdVendor Advisory
- site.pi3.com.pl/adv/disk_pool_manager_1.txtnvd
- www.openwall.com/lists/oss-security/2013/03/12/1nvd
News mentions
0No linked articles in our index yet.