I wanted to point out a blog post by the company Detectify (same people that found a vuln in the SNI validation a while ago, but a different issue):
They found that some implementations of ACME enable cross site scripting. In the http-01 domain validation method the CA server sends the requester a token and then the server should serve the token concatenated with an account public key hash in a file named after the token.
It turns out some implementations do this in a way that they don’t really care about the token, but always reflect whatever you request under the corresponding url (/.well-known/acme-challenge/token). In some setups this is combined with content sniffing, which enables cross site scripting (i.e. if you reflect html content it will be served as text/html).
I discussed this recently with Frans Rosén (one of the finders) and we wondered if there’s some ACME implementation out there that has this behavior or if those hosters all came up with this on their own.
There are a lot of ACME implementations, but maybe someone here is aware of an implementation that might have this behavior. Would be interesting, because then we could fix this at the source and stop it from proliferating.