[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] and CVE-2014-3207

From: Alain Wolf
Subject: [Sks-devel] and CVE-2014-3207
Date: Thu, 14 Dec 2017 00:48:52 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0


A few days ago the status page of my key-server [1] began to show ...

> Vulnerable to CVE-2014-3207   Yes

This began after I created customized Nginx error pages, not just for
the key-server, but all sites hosted here.

The problem was, the new error pages have an email link to let visitors mail
the webmaster of problems they encountered. The mail is prefilled with
information on the error, amongst other things, also the HTTP request as

This rightfully triggered the vulnerability warning.

I have now changed the error page [2] to escape URLs with HTML entities
and my status page no longer shows any error.




# 11370 # Alain Wolf <address@hidden>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]