[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)



Marc Dacier said:

>Let's consider the '.forward' example. It's a feature that you might
>want to use. Its behaviour is well-known. It's not, if I understand
>you correctly, a vulnerability by itself. Though, it becomes a
>vulnerability if I can create or modified one where you were not
>expecting to find one (e.g well known attacks using ftp + .forward, or
>uucp+.forward, ..)
>
>Is the '.forward' the vulnerability? At the contrary, should we have a CVE
>entry for each 'misuse' of the '.forward'? Should we see this as a
>misconfiguration problem for ftp, uucp ...  What about .forward that are
>left as backdoors by bad guys ...

Most of these issues will be discussed in later clusters (recording
each "misuse" of .forward in each different service, .forward left as
a backdoor).  Another topic for later discussion is the appropriate
level of abstraction for this sort of problem.

If root's .forward is writable by anyone, then that allows Leveraged
access (and is a violation of a "Universal policy"), so it should be
included in the CVE (or at the very least, as an instance of some CVE
vulnerability).

In the case where a user just *has* a .forward but it's not writable
by anyone else, that's not a violation of most typical Conditional
policies.  Therefore the simple *use* of .forward should not be
covered by the CVE.

- Steve

 
Page Last Updated: May 22, 2007