|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] PROPOSAL: Cluster 32 - DATA (10 candidates)
Most of the following candidates are affected by the Data Access content decisions described previously. Note the use of the term "inappropriate," which has a semi-formal definition in the context of Data Access. Some of these candidates would appear to be at a high level. In addition, my definition of "system-critical" could be difficult to assess from an automated tool perspective. I think that these candidates illustrate how far away we are from being able to effectively describe the nature of such vulnerabilities. However, many tools are beginning to focus on these sorts of problems, so we could be well served to ensure that we have some CVE vulnerabilities which attempt to capture this. - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0509 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF Perl, sh, csh, or other shell interpreters are accessible on a WWW site. VOTE: ================================= Candidate: CAN-1999-0520 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF A system-critical NETBIOS/SMB share has inappropriate access control. VOTE: ================================= Candidate: CAN-1999-0522 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF Reference: CERT:CA-96.10 The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. VOTE: ================================= Candidate: CAN-1999-0527 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. VOTE: ================================= Candidate: CAN-1999-0554 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF NFS exports system-critical data to the world, e.g. / or a password file. VOTE: ================================= Candidate: CAN-1999-0559 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF A system-critical Unix file or directory has inappropriate permissions. VOTE: ================================= Candidate: CAN-1999-0560 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT file or directory has inappropriate permissions. VOTE: ================================= Candidate: CAN-1999-0569 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory. VOTE: ================================= Candidate: CAN-1999-0587 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. VOTE: ================================= Candidate: CAN-1999-0591 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990803 Assigned: 19990607 Category: CF An event log in Windows NT has inappropriate access permissions. VOTE:
|
||||
