Discussion:
[Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in
Eric Germann
2018-06-30 13:20:58 UTC
Permalink
Greetings,

Can anyone shed some light on what causes the "Vulnerable to CVE-2014-3207” flag to be set in the status page (https://sks-keyservers.net/status/ks-status.php?server=<servername> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>) for a server?

Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as laid out in https://keyserver.mattrude.com/guides/building-server/ <https://keyserver.mattrude.com/guides/building-server/>

After a boot, the key server will show “No” in the CVE field and it appears to be eligible for pool inclusion. After a while, it moves to “Yes” and appears to be ineligible.

I’m trying to understand what changes from just running as the CVE seems to be on the SKS server side.

Thanks for any insight

EKG
Christiaan de Die le Clercq
2018-06-30 17:55:25 UTC
Permalink
Hi Eric,

The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E

More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207


Kind regards,

Christiaan de Die le Clercq
Post by Eric Germann
Greetings,
Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?
Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/
After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion.  After a while, it moves to
“Yes” and appears to be ineligible.
I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.
Thanks for any insight
EKG
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
Eric Germann
2018-06-30 18:29:41 UTC
Permalink
Thanks

So I should download all the source from the git repo as it seems 1.1.6 doesn’t have the fixes?
Post by Christiaan de Die le Clercq
Hi Eric,
The flag is set when SKS-Keyserver is vulnerable for XSS injection,
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
Kind regards,
Christiaan de Die le Clercq
Post by Eric Germann
Greetings,
Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?
Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/
After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion. After a while, it moves to
“Yes” and appears to be ineligible.
I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.
Thanks for any insight
EKG
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
Moritz Wirth
2018-06-30 18:33:01 UTC
Permalink
Are you sure that this is a problem of the CVE Vulnerability and not
because of a non responding keyservers?
Post by Eric Germann
Thanks
So I should download all the source from the git repo as it seems 1.1.6 doesn’t have the fixes?
Post by Christiaan de Die le Clercq
Hi Eric,
The flag is set when SKS-Keyserver is vulnerable for XSS injection,
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
Kind regards,
Christiaan de Die le Clercq
Post by Eric Germann
Greetings,
Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?
Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/
After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion. After a while, it moves to
“Yes” and appears to be ineligible.
I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.
Thanks for any insight
EKG
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
Eric Germann
2018-07-01 03:17:56 UTC
Permalink
Here’s a test point

https://sks-keyservers.net/status/ks-status.php?server=sks-ams.semperen.com <https://sks-keyservers.net/status/ks-status.php?server=sks-ams.semperen.com>

shows

Vulnerable to CVE-2014-3207
Yes


Testing my server with the link you provided shows:

Page not found

Page not found: /pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E


Which is exactly what it showed when the status was “No”. Literally, nothing changed on it, except time. They oscillate in and out of the this state as near as I can tell.

Thanks for any insight anyone may have as to what could be causing this.

EKG
Post by Christiaan de Die le Clercq
Hi Eric,
The flag is set when SKS-Keyserver is vulnerable for XSS injection,
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
Kind regards,
Christiaan de Die le Clercq
Post by Eric Germann
Greetings,
Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?
Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/
After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion. After a while, it moves to
“Yes” and appears to be ineligible.
I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.
Thanks for any insight
EKG
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
Loading...