On Jun 30, 2018, at 13:55, Christiaan de Die le Clercq <address@hidden> wrote:
Hi Eric,
The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
Kind regards,
Christiaan de Die le Clercq
Op 30-6-2018 om 3:20 PM schreef Eric Germann:
Greetings,
Can anyone shed some light on what causes the "Vulnerable to
CVE-2014-3207” flag to be set in the status page
(https://sks-keyservers.net/status/ks-status.php?server=<servername>
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
for a server?
Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
laid out in https://keyserver.mattrude.com/guides/building-server/
After a boot, the key server will show “No” in the CVE field and it
appears to be eligible for pool inclusion. After a while, it moves to
“Yes” and appears to be ineligible.
I’m trying to understand what changes from just running as the CVE seems
to be on the SKS server side.
Thanks for any insight
EKG
_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel
_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel