oss-sec mailing list archives
Re: CVE Request for Horde and Squirrelmail
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 25 May 2010 17:12:07 -0400 (EDT)
While these port-scanning types of issues are rarely reported, there is precedents for them, especially in the web application security world (see Jeremiah Grossman's work on port-scanning through web browsers, for a start).
Even though the consequences may be minimal, they still allow an attacker from *outside* a network to determine the state of machines that live *inside* that network, even when the attacker does not have direct access to the internal netork. So there is an information leak.
As such, the CVE assignment is appropriate. (To the Horde devs, if you wish to publish a dispute within the CVE description itself, contact me offline; the description can at least be written to emphasize that it only happens when sysadmins don't follow documentation.)
- Steve
Current thread:
- CVE Request for Horde and Squirrelmail Max Olsterd (May 20)
- Re: [core] CVE Request for Horde and Squirrelmail Marcus I. Ryan (May 20)
- Re: CVE Request for Horde and Squirrelmail Thijs Kinkhorst (May 21)
- Re: CVE Request for Horde and Squirrelmail Max Olsterd (May 22)
- Re: CVE Request for Horde and Squirrelmail Thijs Kinkhorst (May 23)
- Re: CVE Request for Horde and Squirrelmail Nicob (May 24)
- Re: [SquirrelMail-Security] [oss-security] CVE Request for Horde and Squirrelmail Paul Lesniewski (May 25)
- Re: CVE Request for Horde and Squirrelmail Max Olsterd (May 22)
- Re: [core] CVE Request for Horde and Squirrelmail Michael M Slusarz (May 24)
- Re: CVE Request for Horde and Squirrelmail Josh Bressers (May 25)
- Re: CVE Request for Horde and Squirrelmail Steven M. Christey (May 25)
- Re: [SquirrelMail-Security] [oss-security] CVE Request for Horde and Squirrelmail Paul Lesniewski (Jun 21)