oss-sec mailing list archives
Re: Re: Question regarding CVE applicability of missing HttpOnly flag
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Jun 2014 09:52:31 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/06/14 01:50 AM, Florian Weimer wrote:
On 06/26/2014 01:07 AM, cve-assign () mitre org wrote:-- compared to the development cost in arranging for the flag to be set, is it possible that the real-life benefit is too small?You need a separate vulnerability to access the cookie. These vulnerabilities will have to be addressed even if the HttpOnly flag is set because indirectly, they usually give attackers access to information from which cookies are derived (e.g., by injecting a malicious login form). Therefore, I think the HttpOnly flag is just hardening, and it's not even a very effective form of it.
By that logic then we wouldn't assign CVE's for bad salt/lacking salt/bad password encryption, as the "real" vulnerability" is in the access of that data. The reality is a lot of what used to be exotic security is now becoming basic standard practice, largely I think for two simple reasons: 1) attackers keep getting better and 2) the technical security debt in most existing software keeps getting discovered to be larger. - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTrEG/AAoJEBYNRVNeJnmT6BQP/ixcrT9JPwkfbWUx3sIIGu5p URI1tdYlezUeSmdLFxUj9LreBRavk1EMrc0Hpz+kR/xLb1wyCPAek2ivN/I/obZ7 aguCgUQcJhKWLU8hMGAZgL3kvb/SHDhcSv+DH/sME3ZhKtCEC9BxOgctNsdbIvXC gSKJ56MKgQ/YkLfbKEsk/sTwpo0FY7maA2+PLuIPy+pPH2LufIXl0gqewRGkk0Bf 5bao4aMS7t/96R+B5sdOFq6/R8BdhKxgitzNe64cXT+OoIL5UZ6uurMkjORsRGAe MSOy5NwSiGzYZGD2xv2U13P90gROzwYdoL6RklFQumF+0infqucLdUtYoTeN0q5R VOBclkgnZ7UO83V2Ie147EkQ/222XqXwpVGkBqws/NnjQDDI55A3QekQ000Q2zd2 sg6x/V7LYlqjlMqb/dtdxlzxv7mOpZltJEQPd11He3ISpK96uJ/6n81twEw/Plb5 PCb8iImyPXJshaELlpxRMWJvCMq3xvohLmvCwKDlhEDUc1RVMKg5bDYguxRowa9b Cy2uLsaIwndG08bObtzDg0a5tXtRRYUqd2LeUT8J5B3u6XDroWHxemldpKJ5hK/d Jkh5K98B5iolpb43g+9KM73d9tCucBTsHa2XOGgiy/8C65QMfVQb/FtyQBCJ01n1 t384/G45NKx9FN/KcCPH =aMTm -----END PGP SIGNATURE-----
Current thread:
- Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 25)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Henri Salo (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Vladimir '3APA3A' Dubrovin (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Jamie Strandboge (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 30)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 27)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)