Suspected vulnerabilities in Web E-mail Protection related to "X-Content-Type-Options: nosniff"

book

Article ID: 170740

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

A vulnerability scan indicates that the Symantec Encryption Management Platform (SEMS) Web E-mail Protection (WEP) product may be vulnerable to the "X-Content-Type-Options: nosniff" attack.

Environment

All SEMS versions.

Resolution

The nosniff setting applies to browsers, not servers.
This is not a server-side vulnerability because the server is not the target of attack.
Content displayed by WEP is sanitized and filtered before being rendered on a page.
The nosniff setting has no effect on WEP content delivered via PDF because the nosniff header only applies to web browsers.

No "fix" will be created as the SEMS server is not the target of this attack.