[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PROPOSAL: Cluster 32 - DATA (10 candidates)



Most of the following candidates are affected by the Data Access
content decisions described previously.  Note the use of the term
"inappropriate," which has a semi-formal definition in the context of
Data Access.

Some of these candidates would appear to be at a high level.  In
addition, my definition of "system-critical" could be difficult to
assess from an automated tool perspective.  I think that these
candidates illustrate how far away we are from being able to
effectively describe the nature of such vulnerabilities.  However,
many tools are beginning to focus on these sorts of problems, so we
could be well served to ensure that we have some CVE vulnerabilities
which attempt to capture this.

- Steve


Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0509
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

Perl, sh, csh, or other shell interpreters are accessible on a WWW
site.

VOTE:

=================================
Candidate: CAN-1999-0520
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

A system-critical NETBIOS/SMB share has inappropriate access control.

VOTE:

=================================
Candidate: CAN-1999-0522
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF
Reference: CERT:CA-96.10

The permissions for a system-critical NIS+ table (e.g. passwd) are
inappropriate.

VOTE:

=================================
Candidate: CAN-1999-0527
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

The permissions for system-critical data in an anonymous FTP account
are inappropriate.  For example, the root directory is writeable by
world, a real password file is obtainable, or executable commands such
as "ls" can be overwritten.

VOTE:

=================================
Candidate: CAN-1999-0554
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

NFS exports system-critical data to the world, e.g. / or a password
file.

VOTE:

=================================
Candidate: CAN-1999-0559
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

A system-critical Unix file or directory has inappropriate
permissions.

VOTE:

=================================
Candidate: CAN-1999-0560
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT file or directory has inappropriate
permissions.

VOTE:

=================================
Candidate: CAN-1999-0569
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

A URL for a WWW directory allows auto-indexing, which provides a list
of all files in that directory.

VOTE:

=================================
Candidate: CAN-1999-0587
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

A WWW server is not running in a restricted file system, e.g. through
a chroot, thus allowing access to system-critical data.

VOTE:

=================================
Candidate: CAN-1999-0591
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990803
Assigned: 19990607
Category: CF

An event log in Windows NT has inappropriate access permissions.

VOTE:

Page Last Updated or Reviewed: May 22, 2007