[Dailydave] CVSS is the worst compression algorithm ever
Christian Heinrich
christian.heinrich at cmlh.id.au
Sat Apr 6 22:02:42 UTC 2019
Dave,
On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel at gmail.com> wrote:
> The issue is simplified to: If an SQLi exists, how does that rank for the
> CVSS Confidentiality, Integrity, and Availability sections. Like, here's
> an example: https://nvd.nist.gov/vuln/detail/CVE-2013-0375 . As you
> can see there is "low" impact on confidentiality and integrity, and NO
> impact on availability.
For the record, Bruce from https://www.first.org/members/teams/oracle
represented their feedback to cvss-sig at lists.first.org
On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel at gmail.com> wrote:
> But how can that be correct? The questions you start to ask as you
> make those decisions are: What user context am I running in on the
> SQL Server (i.e. sa?) and what does that user have access to in
> terms of tables, and what importance is that information? Also what
> clause is the injection running in the SQL statement itself? Does this
> database support sub-queries such that I can alter information? Are
> there functions that do things with side effects I can call? Answering
> these questions is complex and possibly dependent on configuration
> and the CVSS way is to assume the worst, which cannot POSSIBLY
> BE "LOW".
Please refer to the "Addition Of Partial+ Rating" section of
https://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html
under "CVSS Version 2.0" heading.
On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel at gmail.com> wrote:
> And at a minimum, you would expect possible Availability issues to be
> high, because anyone who's played with an SQL injection tool knows
> that even doing SLEEP statements has a tendency to take down web
> applications. Imagine if your goal was to take down a web application
> with an SQLi...? I think Microsoft Research did a whole paper on doing
> SQL Injection timing attacks just with random function calls? I can't find
> it now though.
>
> Ok, so that brings us to XSS and "HTTPOnly" and the FIRST.org
> assessment: https://www.first.org/cvss/examples#1-phpMyAdmin-Reflected-Cross-site-Scripting-Vulnerability-CVE-2013-1937
>
> I've never run phpMyAdmin, and I've certainly never tried to use BeEF
> with a XSS in an attack against it. But you'd have to imagine that it
> would work fine to drive the interface, and that interface looks like it has
> a full "execute any SQL statement" section in it. Also usually with this
> sort of program you have a whole "install add-on" interface, which if
> driven at the administrator level, is RCE. I don't consider that two bugs,
> because "installing an add-on" is the functionality admin users need to
> have and it's completely built-in.
>
> So the question is: Can phpMyAdmin be driven AS IF FROM THE
> ADMIN by this XSS (aka, is the proper CVSS score an 11?) I would
> guess yes. Or, am I completely wrong, and the impact is quite limited?
Please refer to "3.7. Vulnerability Chaining" section of
https://www.first.org/cvss/user-guide
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
More information about the Dailydave
mailing list