WebApp Sec mailing list archives
Re: rating TRACE
From: Simon Ward <simon () westpoint ltd uk>
Date: Fri, 14 Nov 2014 15:43:35 +0000
On 2014-11-14 13:41, Simon Ward wrote:
The impact should really be none, since there is none if you can't manipulate the browser or plugin to create your dodgy request in the first place. If we're treating it as a vulnerability and fudging the CVSS scores for it then I might give it a partial integrity impact based on scoring tip #2 in the CVSS reference (consider the direct impact to the target host only).
Confidentiality impact is probably more correct being header exposure, though it would give the same score. At least a couple of related CVEs are scored in NVD with only confidentiality impact:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3398 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2223 Simon -- Senior Operations Consultant Westpoint Limited | t: +44 (0)161 237 1028 | w: www.westpoint.ltd.uk This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- RES: rating TRACE, (continued)
- RES: rating TRACE Fábio Soto (Nov 12)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 13)
- Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
- Re: RES: rating TRACE Simon Ward (Nov 14)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 14)
- Message not available
- RES: rating TRACE Fábio Soto (Nov 12)
- Re: rating TRACE Manolis Mavrofidis (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
- Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)