Web Application Security
Re: rating TRACE Nov 14 2014 03:43PM
Simon Ward (simon westpoint ltd uk)
On 2014-11-14 13:41, Simon Ward wrote:
> The impact should really be none, since there is none if you can't
> manipulate the browser or plugin to create your dodgy request in the
> first place. If we're treating it as a vulnerability and fudging the
> CVSS scores for it then I might give it a partial integrity impact based
> on scoring tip #2 in the CVSS reference (consider the direct impact to
> the target host only).

Confidentiality impact is probably more correct being header exposure,
though it would give the same score. At least a couple of related CVEs
are scored in NVD with only confidentiality impact:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3398
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2223

Simon
--
Senior Operations Consultant
Westpoint Limited | t: +44 (0)161 237 1028 | w: www.westpoint.ltd.uk

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus