Alain Wolf
2017-12-13 23:48:52 UTC
Hello
A few days ago the status page of my key-server [1] began to show ...
the key-server, but all sites hosted here.
The problem was, the new error pages have an email link to let visitors mail
the webmaster of problems they encountered. The mail is prefilled with
information on the error, amongst other things, also the HTTP request as
received.
This rightfully triggered the vulnerability warning.
I have now changed the error page [2] to escape URLs with HTML entities
and my sks-keyservers.net status page no longer shows any error.
[1] https://sks-keyservers.net/status/ks-status.php?server=pgpkeys.urown.net
[2] https://pgpkeys.urown.net/pks/lookup?search=yahoo.com
Regards
Alain
A few days ago the status page of my key-server [1] began to show ...
Vulnerable to CVE-2014-3207 Yes
This began after I created customized Nginx error pages, not just forthe key-server, but all sites hosted here.
The problem was, the new error pages have an email link to let visitors mail
the webmaster of problems they encountered. The mail is prefilled with
information on the error, amongst other things, also the HTTP request as
received.
This rightfully triggered the vulnerability warning.
I have now changed the error page [2] to escape URLs with HTML entities
and my sks-keyservers.net status page no longer shows any error.
[1] https://sks-keyservers.net/status/ks-status.php?server=pgpkeys.urown.net
[2] https://pgpkeys.urown.net/pks/lookup?search=yahoo.com
Regards
Alain
--
# pgpkeys.urown.net 11370 # Alain Wolf <***@urown.net>
0x27A69FC9A1744242
# pgpkeys.urown.net 11370 # Alain Wolf <***@urown.net>
0x27A69FC9A1744242