[Sks-devel] pgpkeys.urown.net and CVE-2014-3207

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] pgpkeys.urown.net and CVE-2014-3207

From:	Alain Wolf
Subject:	[Sks-devel] pgpkeys.urown.net and CVE-2014-3207
Date:	Thu, 14 Dec 2017 00:48:52 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0

Hello

A few days ago the status page of my key-server [1] began to show ...

> Vulnerable to CVE-2014-3207   Yes

This began after I created customized Nginx error pages, not just for
the key-server, but all sites hosted here.

The problem was, the new error pages have an email link to let visitors mail
the webmaster of problems they encountered. The mail is prefilled with
information on the error, amongst other things, also the HTTP request as
received.

This rightfully triggered the vulnerability warning.

I have now changed the error page [2] to escape URLs with HTML entities
and my sks-keyservers.net status page no longer shows any error.

[1] https://sks-keyservers.net/status/ks-status.php?server=pgpkeys.urown.net
[2] https://pgpkeys.urown.net/pks/lookup?search=yahoo.com

Regards

Alain

-- 
# pgpkeys.urown.net 11370 # Alain Wolf <address@hidden>
0x27A69FC9A1744242

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] pgpkeys.urown.net and CVE-2014-3207, Alain Wolf <=

Prev by Date: Re: [Sks-devel] Emergency Maintenance: sks.mirror.square-r00t.net
Next by Date: Re: [Sks-devel] pks.aaiedu.hr ?
Previous by thread: [Sks-devel] Emergency Maintenance: sks.mirror.square-r00t.net
Next by thread: Re: [Sks-devel] pks.aaiedu.hr ?
Index(es):
- Date
- Thread