[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-
|
From: |
Christiaan de Die le Clercq |
|
Subject: |
[Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page |
|
Date: |
Sat, 30 Jun 2018 19:55:25 +0200 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 |
Hi Eric,
The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
Kind regards,
Christiaan de Die le Clercq
Op 30-6-2018 om 3:20 PM schreef Eric Germann:
> Greetings,
>
> Can anyone shed some light on what causes the "Vulnerable to
> CVE-2014-3207” flag to be set in the status page
> (https://sks-keyservers.net/status/ks-status.php?server=<servername>
> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
> for a server?
>
> Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
> laid out in https://keyserver.mattrude.com/guides/building-server/
>
> After a boot, the key server will show “No” in the CVE field and it
> appears to be eligible for pool inclusion. After a while, it moves to
> “Yes” and appears to be ineligible.
>
> I’m trying to understand what changes from just running as the CVE seems
> to be on the SKS server side.
>
> Thanks for any insight
>
> EKG
>
>
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
signature.asc
Description: OpenPGP digital signature