[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 21 - MORELOW (37 candidates)



Bill Wall said:

>=================================
>Candidate: CAN-1999-0455
>Published:
>Final-Decision:
>Interim-Decision:
>Modified:
>Announced: 19990726
>Assigned: 19990607
>Category: SF
>Reference: ALLAIRE:ASB-001
>Reference: XF:coldfusion-expression-evaluator
>Reference: SF:115
>
>The Expression Evaluator sample application in ColdFusion allows
>remote attackers to read or delete files on the server.
>
>VOTE: MODIFY
>The reference should be ASB99-01 (Expression Evaluator Security Issues)
>make application plural since there are three sample applications
>(openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
>
>
>=================================
>Candidate: CAN-1999-0477
>Published:
>Final-Decision:
>Interim-Decision:
>Modified:
>Announced: 19990726
>Assigned: 19990607
>Category: SF
>Reference: L0PHT:Cold Fusion App Server
>Reference: XF:coldfusion-expression-evaluator
>Reference: SF:115
>
>The Expression Evaluator in the ColdFusion Application Server allows a
>remote attacker to execute commands by uploading a file.
>
>VOTE: REJECT
>Duplicate of 0455


I think there are a few issues here.

1) On initial inspection, I thought that the flaw in CAN-1999-0455 was
replicated in the different configuration files, in which case I would
have argued that they were separate vulnerabilities ("Different
Functionality, Different Vulnerability").  However, it turns out that
each of them is referring to another configuration file, which itself
contains the vulnerability.  So it's like a library, so the different
configuration files that use that library, do need not be
distinguished.

2) Maybe we should NOT merge CAN-1999-0455 with CAN-1999-0477, because
CAN-1999-0477 was discovered at a later time, so I think that the
"Same Time of Discovery" content decision means we should distinguish
between the two.  The question is, how much time is sufficient?  If I
recall correctly, Allaire had to release a new patch to handle
CAN-1999-0477, after it had already patched CAN-1999-0455.  I think
that marks sufficient time.  Also, CAN-1999-0477 requires a slightly
different attack than CAN-1999-0455.  But on the other hand, the
CAN-1999-0455 existed at the same time that CAN-1999-0477 did.

In the case of the Digital "at" program and others, the vulnerability
didn't show up for a number of years after the "at" program for other
OSes was fixed.  The Same Time of Discovery decision would require a
distinction between Digital "at" and the other "at" programs (assuming
"at" had the Same Codebase across all those OSes).

- Steve

Page Last Updated or Reviewed: May 22, 2007