Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 21 Jul 1999 12:45:06 -0400 (EDT)
Sender: owner-cve-editorial-board-list@lists.mitre.org

Marc Dacier said:

>Let's consider the '.forward' example. It's a feature that you might
>want to use. Its behaviour is well-known. It's not, if I understand
>you correctly, a vulnerability by itself. Though, it becomes a
>vulnerability if I can create or modified one where you were not
>expecting to find one (e.g well known attacks using ftp + .forward, or
>uucp+.forward, ..)
>
>Is the '.forward' the vulnerability? At the contrary, should we have a CVE
>entry for each 'misuse' of the '.forward'? Should we see this as a
>misconfiguration problem for ftp, uucp ...  What about .forward that are
>left as backdoors by bad guys ...

Most of these issues will be discussed in later clusters (recording
each "misuse" of .forward in each different service, .forward left as
a backdoor).  Another topic for later discussion is the appropriate
level of abstraction for this sort of problem.

If root's .forward is writable by anyone, then that allows Leveraged
access (and is a violation of a "Universal policy"), so it should be
included in the CVE (or at the very least, as an instance of some CVE
vulnerability).

In the case where a user just *has* a .forward but it's not writable
by anyone else, that's not a violation of most typical Conditional
policies.  Therefore the simple *use* of .forward should not be
covered by the CVE.

- Steve

Prev by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Next by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Prev by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Index(es):
- Date
- Thread