Question

This thread was archived. Please ask a new question if you need help.

"Content-Type" header code execution

5 replies
1 has this problem
35 views
Last reply by jscher2000 - Support Volunteer

2 years ago

cobbfan221

2.2.22, 05:35

We are looking to find a fix for the code execution bug found in May of 2021:

Mozilla Firefox is vulnerable to code execution by a remote attacker who can convince a user to open a malicious file. By manipulating the "Content-Type" header of a file the attacker can cause Firefox to execute scripts concealed in files that appear to be of non-executable types.

We are looking to find a fix for the code execution bug found in May of 2021: Mozilla Firefox is vulnerable to code execution by a remote attacker who can convince a user to open a malicious file. By manipulating the "Content-Type" header of a file the attacker can cause Firefox to execute scripts concealed in files that appear to be of non-executable types.

Chosen solution

If you use my test document you will see that Firefox 96 still works the same way: when the server indicates this combination:

Content-Type: text/html Content-Disposition: attachment; filename=test.jpg

Firefox corrects the file name during the save process from test.jpg to test.jpg.html and you can open it as an HTML page rather than a corrupt JPEG image.

I don't know whether anyone has filed a bug. Normally security researchers would have done that before making a public disclosure but it is hard to search for security bugs.

If you want to file a new bug:

https://bugzilla.mozilla.org/

👍 0

Answer 1 · 2022-02-02 05:35:18

jscher2000 - Support Volunteer

Top 10 Contributor

2.2.22, 06:24

Can you link to information about that vulnerability? To prevent a delay in your post appearing, add a space before the .com or .org in your link. (Otherwise, the reply is sent to the link spam moderation queue.)

Answer 2 · 2022-02-02 05:35:18

jscher2000 - Support Volunteer

Top 10 Contributor

2.2.22, 06:29

Is it this one? https://besteffortteam.it/mozilla-firefox-content-type-confusion-unsafe-code-execution/

Answer 3 · 2022-02-02 05:35:18

jscher2000 - Support Volunteer

Top 10 Contributor

2.2.22, 06:50

I think this is what they're doing:

https://www.jeffersonscher.com/res/test_jpg.php

Adding screenshot of download dialog:

Modified 2 февруари 2022, 08:35:56 -0800 by jscher2000 - Support Volunteer

Answer 4 · 2022-02-02 05:35:18

cobbfan221 Question owner

2.2.22, 08:16

That was the site I saw about this issue but no official notice or fix which is what is needed.

Answer 5 · 2022-02-02 05:35:18

jscher2000 - Support Volunteer

Top 10 Contributor

2.2.22, 08:30

Chosen Solution

If you use my test document you will see that Firefox 96 still works the same way: when the server indicates this combination:

Content-Type: text/html Content-Disposition: attachment; filename=test.jpg

Firefox corrects the file name during the save process from test.jpg to test.jpg.html and you can open it as an HTML page rather than a corrupt JPEG image.

I don't know whether anyone has filed a bug. Normally security researchers would have done that before making a public disclosure but it is hard to search for security bugs.

If you want to file a new bug:

https://bugzilla.mozilla.org/

Search Support

"Content-Type" header code execution

Chosen solution

All Replies (5)

Chosen Solution

Ask a Question

Explore Our Help Articles

Mozilla Account

Search Support

"Content-Type" header code execution

Chosen solution

All Replies (5)

Chosen Solution