5 years ago
5 years ago


(Reporter: whitehat, Assigned: kang)


({sec-low, wsec-xss})

sec-low, wsec-xss
Dependency tree / graph
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [][reporter-external] old IE only?)


(1 attachment)



5 years ago
Posted image mozzila.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018

Steps to reproduce:

Scanned subdomains of
Found about

Actual results:

Scanned it and found xss on /pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>

Expected results:

Screen PopupAlert


5 years ago
Whiteboard: Haris Mamoun
assigned to rforbes for verif, this looks like a scanner false positive to me. I took a quick look at the url in question and I don't see a way for this to be exploited.
Assignee: nobody → rforbes
Flags: sec-bounty?
Whiteboard: Haris Mamoun → [][reporter-external][verif?]

Comment 2

5 years ago
It is a reflected XSS.
Its verified, not false positive.

Comment 3

5 years ago
Any information on status ?
Flags: needinfo?(rforbes)
Modern browsers escape the request so the reflected page does not contain an XSS attack. Using command-line tools like curl or maybe old versions of IE don't do this escaping so it can look like a successful attack.

Joe: who stood up this server? I'm guessing someone in your team, but the real bug (such as it is) is almost certainly in the upsteam SKS code. Maybe there's a newer version, or maybe they've got a fix.
Assignee: rforbes → jstevensen
Flags: needinfo?(rforbes)
Whiteboard: [][reporter-external][verif?] → [][reporter-external] old IE only?
Assignee: jstevensen → gdestuynder
we're currently running the SKS keyserver version 1.1.4 (latest) and using the default page.
Thus, the issue most likely exist in the upstream SKS code indeed (

I did not find any public issue on the matter in their issue tracker ( for example)
The output appears to be sanitized by the server, thus i believe there is no actual issue.

rforbes, can you confirm?
Flags: needinfo?(rforbes)
turns out its not sanitized :)
curl "<ScRiPt>prompt(972363)</ScRiPt>" 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "" >
<html xmlns="">
<title>Page not found</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<style type="text/css">
 .uid { color: green; text-decoration: underline; }
 .warn { color: red; font-weight: bold; }
</style></head><body><h1>Page not found</h1>Page not found: //pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt></body></html>
Flags: needinfo?(rforbes)

Comment 9

5 years ago
Any confirmation/info ?
Ever confirmed: true
Blocks: 836522
Group: mozilla-services-security
Keywords: sec-low, wsec-xss
I guess if the upstream bug is available in public we don't need to hide our version here.
this is sec-low so not qualified for a bounty.
Flags: sec-bounty? → sec-bounty-
New version released (1.1.5) and slated for upgrade on  (as per blocking bug)
1.1.5 running, and verified poc doesnt work
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.