Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 30 Jun 2014 07:43:37 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, jamie@...onical.com
Subject: Re: Question regarding CVE applicability of missing HttpOnly flag

On 06/27/2014, at 21:23 PM, cve-assign@...re.org wrote:

> You quoted two paragraphs on the topic of whether system-integration
> issues are covered by CVE and CWE, and then wrote "shouldn't the same
> be true of the HttpOnly flag?" It's unclear how to answer except by
> saying: a decision to use or not use the HttpOnly flag isn't a
> system-integration issue.
>
> You then mentioned 'if setting this flag "fixes" all XSS issues.' It
> seems that a reasonable response here is: an XSS attack can have a
> severe impact even if it's not designed to steal any cookies. (The
> non-cookie-stealing severity varies, in part, based on the types of
> input that are common for the web application in question.) The
> HttpOnly flag is specific to cookies.
>
> Finally, you mentioned "They can't _both_ get CVEs" - a question that
> seems to be about a superfluous CVE assignment in a case where the
> only goal of an XSS attack is to steal a cookie, and the attack relies
> on an XSS vulnerability in a certain web application that doesn't set
> the HttpOnly flag. A response here is: there could be a scenario that
> ended up with a single CVE assignment for a composite of one specific
> instance of incorrect input validation and an incorrect cookie
> restriction. This scenario seems rare. It would require that neither
> issue was dangerous except in the presence of the other issue. For
> example, it would require that the only possible impact of the
> incorrect input validation was to pass JavaScript code that could
> steal cookies (any other malicious JavaScript code would be blocked).
> In most practical cases, two CVE assignments would often be possible
> if someone happened to request two.

Ahhh... ok, this makes more sense.  Thank you!



-- 
Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ