Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Marc Dacier said:
>Let's consider the '.forward' example. It's a feature that you might
>want to use. Its behaviour is well-known. It's not, if I understand
>you correctly, a vulnerability by itself. Though, it becomes a
>vulnerability if I can create or modified one where you were not
>expecting to find one (e.g well known attacks using ftp + .forward, or
>Is the '.forward' the vulnerability? At the contrary, should we have a CVE
>entry for each 'misuse' of the '.forward'? Should we see this as a
>misconfiguration problem for ftp, uucp ... What about .forward that are
>left as backdoors by bad guys ...
Most of these issues will be discussed in later clusters (recording
each "misuse" of .forward in each different service, .forward left as
a backdoor). Another topic for later discussion is the appropriate
level of abstraction for this sort of problem.
If root's .forward is writable by anyone, then that allows Leveraged
access (and is a violation of a "Universal policy"), so it should be
included in the CVE (or at the very least, as an instance of some CVE
In the case where a user just *has* a .forward but it's not writable
by anyone else, that's not a violation of most typical Conditional
policies. Therefore the simple *use* of .forward should not be
covered by the CVE.