Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Sat, 30 Jun 2018 20:19:06 -0700 

Here’s a test point

https://sks-keyservers.net/status/ks-status.php?server=sks-ams.semperen.com 
<https://sks-keyservers.net/status/ks-status.php?server=sks-ams.semperen.com>

shows

Vulnerable to CVE-2014-3207
Yes


Testing my server with the link you provided shows:

Page not found

Page not found: /pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E


Which is exactly what it showed when the status was “No”.  Literally, nothing 
changed on it, except time.  They oscillate in and out of the this state as 
near as I can tell.

Thanks for any insight anyone may have as to what could be causing this.

EKG

> On Jun 30, 2018, at 1:55 PM, Christiaan de Die le Clercq 
> <cont...@techwolf12.nl> wrote:
> 
> Hi Eric,
> 
> The flag is set when SKS-Keyserver is vulnerable for XSS injection,
> which is testable by going here:
> http://<YOUR SKS
> SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
> 
> More info on here:
> https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
> and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
> 
> 
> Kind regards,
> 
> Christiaan de Die le Clercq
> 
> Op 30-6-2018 om 3:20 PM schreef Eric Germann:
>> Greetings,
>> 
>> Can anyone shed some light on what causes the "Vulnerable to
>> CVE-2014-3207” flag to be set in the status page
>> (https://sks-keyservers.net/status/ks-status.php?server=<servername>
>> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
>> for a server?
>> 
>> Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
>> laid out in https://keyserver.mattrude.com/guides/building-server/
>> 
>> After a boot, the key server will show “No” in the CVE field and it
>> appears to be eligible for pool inclusion.  After a while, it moves to
>> “Yes” and appears to be ineligible.
>> 
>> I’m trying to understand what changes from just running as the CVE seems
>> to be on the SKS server side.
>> 
>> Thanks for any insight
>> 
>> EKG
>> 
>> 
>> 
>> _______________________________________________
>> Sks-devel mailing list
>> Sks-devel@nongnu.org
>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>> 
>

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Reply via email to