ygrek
commented
10 years ago Closed ygrek closed 10 years ago
ygrek
commented
10 years ago ygrek
commented
10 years ago ygrek
commented
10 years ago Original comment by kang (Bitbucket: [kang](https://bitbucket.org/kang_), ).
Since this is a security bug, it's hidden by default. This is done in your and your user's interest. (http://en.wikipedia.org/wiki/Responsible_disclosure)
As this bit bucket issue is public - and I believe you are requesting the original bug to be made public before a fix is issued, the original bug is now unhidden. Note that it contains the same information.
ygrek
commented
10 years ago Original comment by Kristian Fiskerstrand (Bitbucket: kristianf, GitHub: krifisk).
Thanks. fwiw I have a possible fix in my mercurial patch queue[0] that is awaiting review after the pull request already made for more ECC curves.
[0] https://bitbucket.org/kristianf/sks-keyserver-patches/src/tip/Issue26?at=default
Original report by Anonymous.
SKS 1.1.4 does not filter: /pks/lookup/undefined1
For example:
http://gpg.mozilla.org/pks/lookup/undefined1
Note that recent browsers will urlencode this for you, thus the XSS only affects older browsers. You can verify this using curl, for example:
curl http://gpg.mozilla.org//pks/lookup/undefined1
Proposed fix: Filter input/output (or do not display the input at all).
Initial report and findings: https://bugzilla.mozilla.org/show_bug.cgi?id=952077 by Haris (whitehat@hotmail.rs)