Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Eric Germann
Greetings,

Can anyone shed some light on what causes the "Vulnerable to CVE-2014-3207” flag to be set in the status page (https://sks-keyservers.net/status/ks-status.php?server=<servername>) for a server?

Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as laid out in https://keyserver.mattrude.com/guides/building-server/

After a boot, the key server will show “No” in the CVE field and it appears to be eligible for pool inclusion.  After a while, it moves to “Yes” and appears to be ineligible.

I’m trying to understand what changes from just running as the CVE seems to be on the SKS server side.

Thanks for any insight

EKG


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Christiaan de Die le Clercq
Hi Eric,

The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E

More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207


Kind regards,

Christiaan de Die le Clercq

Op 30-6-2018 om 3:20 PM schreef Eric Germann:

> Greetings,
>
> Can anyone shed some light on what causes the "Vulnerable to
> CVE-2014-3207” flag to be set in the status page
> (https://sks-keyservers.net/status/ks-status.php?server=<servername>
> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
> for a server?
>
> Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
> laid out in https://keyserver.mattrude.com/guides/building-server/
>
> After a boot, the key server will show “No” in the CVE field and it
> appears to be eligible for pool inclusion.  After a while, it moves to
> “Yes” and appears to be ineligible.
>
> I’m trying to understand what changes from just running as the CVE seems
> to be on the SKS server side.
>
> Thanks for any insight
>
> EKG
>
>
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Eric Germann
Thanks

So I should download all the source from the git repo as it seems 1.1.6 doesn’t have the fixes?

> On Jun 30, 2018, at 13:55, Christiaan de Die le Clercq <[hidden email]> wrote:
>
> Hi Eric,
>
> The flag is set when SKS-Keyserver is vulnerable for XSS injection,
> which is testable by going here:
> http://<YOUR SKS
> SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
>
> More info on here:
> https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
> and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
>
>
> Kind regards,
>
> Christiaan de Die le Clercq
>
> Op 30-6-2018 om 3:20 PM schreef Eric Germann:
>> Greetings,
>>
>> Can anyone shed some light on what causes the "Vulnerable to
>> CVE-2014-3207” flag to be set in the status page
>> (https://sks-keyservers.net/status/ks-status.php?server=<servername>
>> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
>> for a server?
>>
>> Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
>> laid out in https://keyserver.mattrude.com/guides/building-server/
>>
>> After a boot, the key server will show “No” in the CVE field and it
>> appears to be eligible for pool inclusion.  After a while, it moves to
>> “Yes” and appears to be ineligible.
>>
>> I’m trying to understand what changes from just running as the CVE seems
>> to be on the SKS server side.
>>
>> Thanks for any insight
>>
>> EKG
>>
>>
>>
>> _______________________________________________
>> Sks-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>>
>

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Moritz Wirth-2

Are you sure that this is a problem of the CVE Vulnerability and not because of a non responding keyservers?


Am 30.06.18 um 20:29 schrieb Eric Germann:
Thanks

So I should download all the source from the git repo as it seems 1.1.6 doesn’t have the fixes?

On Jun 30, 2018, at 13:55, Christiaan de Die le Clercq [hidden email] wrote:

Hi Eric,

The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
<a class="moz-txt-link-freetext" href="http://">http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E

More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207


Kind regards,

Christiaan de Die le Clercq

Op 30-6-2018 om 3:20 PM schreef Eric Germann:
Greetings,

Can anyone shed some light on what causes the "Vulnerable to 
CVE-2014-3207” flag to be set in the status page 
(https://sks-keyservers.net/status/ks-status.php?server=<servername> 
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>) 
for a server?

Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as 
laid out in https://keyserver.mattrude.com/guides/building-server/

After a boot, the key server will show “No” in the CVE field and it 
appears to be eligible for pool inclusion.  After a while, it moves to 
“Yes” and appears to be ineligible.

I’m trying to understand what changes from just running as the CVE seems 
to be on the SKS server side.

Thanks for any insight

EKG



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel


        

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (876 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Eric Germann
In reply to this post by Christiaan de Die le Clercq
Here’s a test point


shows

Vulnerable to CVE-2014-3207
Yes


Testing my server with the link you provided shows:

Page not found

Page not found: /pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E


Which is exactly what it showed when the status was “No”.  Literally, nothing changed on it, except time.  They oscillate in and out of the this state as near as I can tell.

Thanks for any insight anyone may have as to what could be causing this.

EKG

On Jun 30, 2018, at 1:55 PM, Christiaan de Die le Clercq <[hidden email]> wrote:

Hi Eric,

The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E

More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207


Kind regards,

Christiaan de Die le Clercq

Op 30-6-2018 om 3:20 PM schreef Eric Germann:
Greetings,

Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?

Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/

After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion.  After a while, it moves to
“Yes” and appears to be ineligible.

I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.

Thanks for any insight

EKG



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel




_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment