sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://

From: Eric Germann
Subject: Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page
Date: Sat, 30 Jun 2018 23:17:56 -0400
Here’s a test point

https://sks-keyservers.net/status/ks-status.php?server=sks-ams.semperen.com

shows

Vulnerable to CVE-2014-3207
Yes


Testing my server with the link you provided shows:

Page not found

Page not found: /pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E


Which is exactly what it showed when the status was “No”.  Literally, nothing changed on it, except time.  They oscillate in and out of the this state as near as I can tell.

Thanks for any insight anyone may have as to what could be causing this.

EKG

On Jun 30, 2018, at 1:55 PM, Christiaan de Die le Clercq <address@hidden> wrote:

Hi Eric,

The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E

More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207


Kind regards,

Christiaan de Die le Clercq

Op 30-6-2018 om 3:20 PM schreef Eric Germann:
Greetings,

Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?

Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/

After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion.  After a while, it moves to
“Yes” and appears to be ineligible.

I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.

Thanks for any insight

EKG



_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel



Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to
[Prev in Thread] Current Thread [Next in Thread]