Dave, On Fri, 11 Jan 2019 at 04:51, Dave Aitel <[email protected]> wrote: > The issue is simplified to: If an SQLi exists, how does that rank for the > CVSS Confidentiality, Integrity, and Availability sections. Like, here's > an example: https://nvd.nist.gov/vuln/detail/CVE-2013-0375 . As you > can see there is "low" impact on confidentiality and integrity, and NO > impact on availability.
For the record, Bruce from https://www.first.org/members/teams/oracle represented their feedback to [email protected] On Fri, 11 Jan 2019 at 04:51, Dave Aitel <[email protected]> wrote: > But how can that be correct? The questions you start to ask as you > make those decisions are: What user context am I running in on the > SQL Server (i.e. sa?) and what does that user have access to in > terms of tables, and what importance is that information? Also what > clause is the injection running in the SQL statement itself? Does this > database support sub-queries such that I can alter information? Are > there functions that do things with side effects I can call? Answering > these questions is complex and possibly dependent on configuration > and the CVSS way is to assume the worst, which cannot POSSIBLY > BE "LOW". Please refer to the "Addition Of Partial+ Rating" section of https://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html under "CVSS Version 2.0" heading. On Fri, 11 Jan 2019 at 04:51, Dave Aitel <[email protected]> wrote: > And at a minimum, you would expect possible Availability issues to be > high, because anyone who's played with an SQL injection tool knows > that even doing SLEEP statements has a tendency to take down web > applications. Imagine if your goal was to take down a web application > with an SQLi...? I think Microsoft Research did a whole paper on doing > SQL Injection timing attacks just with random function calls? I can't find > it now though. > > Ok, so that brings us to XSS and "HTTPOnly" and the FIRST.org > assessment: > https://www.first.org/cvss/examples#1-phpMyAdmin-Reflected-Cross-site-Scripting-Vulnerability-CVE-2013-1937 > > I've never run phpMyAdmin, and I've certainly never tried to use BeEF > with a XSS in an attack against it. But you'd have to imagine that it > would work fine to drive the interface, and that interface looks like it has > a full "execute any SQL statement" section in it. Also usually with this > sort of program you have a whole "install add-on" interface, which if > driven at the administrator level, is RCE. I don't consider that two bugs, > because "installing an add-on" is the functionality admin users need to > have and it's completely built-in. > > So the question is: Can phpMyAdmin be driven AS IF FROM THE > ADMIN by this XSS (aka, is the proper CVSS score an 11?) I would > guess yes. Or, am I completely wrong, and the impact is quite limited? Please refer to "3.7. Vulnerability Chaining" section of https://www.first.org/cvss/user-guide -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
