Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jun 2014 19:09:03 -0600
From: "Vincent Danen" <>
Subject: Re: Question regarding CVE applicability of missing HttpOnly flag

On 06/27/2014, at 14:03 PM, wrote:

>> I suppose maybe there is a CWE for not having a virus scanner, which
>> makes sense as that could be considered an overall system weakness.
> Neither CVE nor CWE attempts to cover the general topic of system
> integration, i.e., questions such as "given the composition and role
> of this entire system, is it unreasonable to omit a virus scanner?" In
> practice, both CVE and CWE often tend to be about questions that may
> come up when considering somewhere around one line of code or one file
> of code. (This is just an observational statement, not an attempt to
> redefine why CVE and CWE exist.) Typical audiences may include (among
> others) developers who need to write a line of code safely or system
> administrators who need to patch a faulty line of code.
> This doesn't mean that there's any objection to someone taking the
> position that lack of a virus scanner is the most serious security
> concern that they see in an entire system. This is a valid perspective
> but is outside of the problem spaces in which CVE and CWE have been
> operating. Even if everyone were looking at "whether or not a flaw is
> a flaw" decisions in precisely the same way, a conclusion of "yes,
> this system would really benefit from a virus scanner" leaves open the
> question of the best place to capture that information.

Then shouldn't be the same be true of the HttpOnly flag?  That line of thought is pretty much what I think in regards to that flag.

I don't know if you missed my comment in an earlier message, so I'll note it below because I think this is the real point:

"Kurt's argument about everything having an XSS makes it sound like, and the reasoning provided here as well, that we should no longer consider XSS a security flaw, but the absence of HttpOnly the security flaw.  I mean, if setting this flag "fixes" all XSS issues, then we should no longer be assigning CVEs to XSS issues, only to web servers/services that do not set HttpOnly or browsers that do not respect/handle it properly.  They can't _both_ get CVEs or be considered flaws, can they?"

Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ