Dailydave mailing list archives
Re: CVSS is the worst compression algorithm ever
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Sun, 7 Apr 2019 08:02:42 +1000
Dave, On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel () gmail com> wrote:
The issue is simplified to: If an SQLi exists, how does that rank for the CVSS Confidentiality, Integrity, and Availability sections. Like, here's an example: https://nvd.nist.gov/vuln/detail/CVE-2013-0375 . As you can see there is "low" impact on confidentiality and integrity, and NO impact on availability.
For the record, Bruce from https://www.first.org/members/teams/oracle represented their feedback to cvss-sig () lists first org On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel () gmail com> wrote:
But how can that be correct? The questions you start to ask as you make those decisions are: What user context am I running in on the SQL Server (i.e. sa?) and what does that user have access to in terms of tables, and what importance is that information? Also what clause is the injection running in the SQL statement itself? Does this database support sub-queries such that I can alter information? Are there functions that do things with side effects I can call? Answering these questions is complex and possibly dependent on configuration and the CVSS way is to assume the worst, which cannot POSSIBLY BE "LOW".
Please refer to the "Addition Of Partial+ Rating" section of https://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html under "CVSS Version 2.0" heading. On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel () gmail com> wrote:
And at a minimum, you would expect possible Availability issues to be high, because anyone who's played with an SQL injection tool knows that even doing SLEEP statements has a tendency to take down web applications. Imagine if your goal was to take down a web application with an SQLi...? I think Microsoft Research did a whole paper on doing SQL Injection timing attacks just with random function calls? I can't find it now though. Ok, so that brings us to XSS and "HTTPOnly" and the FIRST.org assessment: https://www.first.org/cvss/examples#1-phpMyAdmin-Reflected-Cross-site-Scripting-Vulnerability-CVE-2013-1937 I've never run phpMyAdmin, and I've certainly never tried to use BeEF with a XSS in an attack against it. But you'd have to imagine that it would work fine to drive the interface, and that interface looks like it has a full "execute any SQL statement" section in it. Also usually with this sort of program you have a whole "install add-on" interface, which if driven at the administrator level, is RCE. I don't consider that two bugs, because "installing an add-on" is the functionality admin users need to have and it's completely built-in. So the question is: Can phpMyAdmin be driven AS IF FROM THE ADMIN by this XSS (aka, is the proper CVSS score an 11?) I would guess yes. Or, am I completely wrong, and the impact is quite limited?
Please refer to "3.7. Vulnerability Chaining" section of https://www.first.org/cvss/user-guide -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: CVSS is the worst compression algorithm ever Christian Heinrich (Apr 11)