Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 30 Jun 2014 07:43:37 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, jamie@...onical.com
Subject: Re: Question regarding CVE applicability of missing HttpOnly flag

On 06/27/2014, at 21:23 PM, cve-assign@...re.org wrote:

> You quoted two paragraphs on the topic of whether system-integration
> issues are covered by CVE and CWE, and then wrote "shouldn't the same
> be true of the HttpOnly flag?" It's unclear how to answer except by
> saying: a decision to use or not use the HttpOnly flag isn't a
> system-integration issue.
>
> You then mentioned 'if setting this flag "fixes" all XSS issues.' It
> seems that a reasonable response here is: an XSS attack can have a
> severe impact even if it's not designed to steal any cookies. (The
> non-cookie-stealing severity varies, in part, based on the types of
> input that are common for the web application in question.) The
> HttpOnly flag is specific to cookies.
>
> Finally, you mentioned "They can't _both_ get CVEs" - a question that
> seems to be about a superfluous CVE assignment in a case where the
> only goal of an XSS attack is to steal a cookie, and the attack relies
> on an XSS vulnerability in a certain web application that doesn't set
> the HttpOnly flag. A response here is: there could be a scenario that
> ended up with a single CVE assignment for a composite of one specific
> instance of incorrect input validation and an incorrect cookie
> restriction. This scenario seems rare. It would require that neither
> issue was dangerous except in the presence of the other issue. For
> example, it would require that the only possible impact of the
> incorrect input validation was to pass JavaScript code that could
> steal cookies (any other malicious JavaScript code would be blocked).
> In most practical cases, two CVE assignments would often be possible
> if someone happened to request two.

Ahhh... ok, this makes more sense.  Thank you!



-- 
Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.