CVE-2014-3207: Unfiltered XSS

Create issue
Issue #26 resolved
Former user created an issue

SKS 1.1.4 does not filter: /pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>

For example:<ScRiPt>prompt(972363)</ScRiPt>;

Note that recent browsers will urlencode this for you, thus the XSS only affects older browsers. You can verify this using curl, for example:


Proposed fix: Filter input/output (or do not display the input at all).

Initial report and findings: by Haris (

Comments (7)

  1. John Clizbe

    I login to mozilla bugzilla and I can't access the bug report either. so much for Mozilla and "Open"

    Lowering prio to minor until we can access the bug.

  2. kang_

    Since this is a security bug, it's hidden by default. This is done in your and your user's interest. (

    As this bit bucket issue is public - and I believe you are requesting the original bug to be made public before a fix is issued, the original bug is now unhidden. Note that it contains the same information.

  3. Log in to comment