Closed seamustuohy closed 7 years ago
Mitigation Plan:
@seamustuohy, would it be acceptable for us to just remove that public endpoint altogether, and move the listing of PGP keys to only the IP/SP profile pages, visible only to the admins (and the IP/SP user who owns that profile)? That is, if the Admin is going to be sharing the keys to users, on a need-to-know basis, then they're the only ones who need to view them?
Yeah, I think that is the right way to go.
The web application allows service providers or implementing partners to specify a public PGP key in their profile. Said key may then be used for contacting a given party. The PGP keys are hosted on the backend via a “public” accessible route, which means no authentication is needed for those seeking to acquire the public key of an account.
It was discovered that the endpoint provides insufficient HTTP security headers and solely relies on the Content-Type: text/plain header as a protection mechanism. As the sp_profiles/:id/key endpoint can be iframed, it is possible to use Internet Explorer and a EML document to interpret text/plain as HTML and therefore execute JavaScript in the security context of the backend domain
Recommendations: