This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Le thread ibilondoloziwe. Nceda ubuze umbuzo omtsha ukuba ufuna uncedo.

"Content-Type" header code execution

cobbfan221
cobbfan221
more options

We are looking to find a fix for the code execution bug found in May of 2021:

Mozilla Firefox is vulnerable to code execution by a remote attacker who can convince a user to open a malicious file. By manipulating the "Content-Type" header of a file the attacker can cause Firefox to execute scripts concealed in files that appear to be of non-executable types.

We are looking to find a fix for the code execution bug found in May of 2021: Mozilla Firefox is vulnerable to code execution by a remote attacker who can convince a user to open a malicious file. By manipulating the "Content-Type" header of a file the attacker can cause Firefox to execute scripts concealed in files that appear to be of non-executable types.

Isisombulu esikhethiweyo

If you use my test document you will see that Firefox 96 still works the same way: when the server indicates this combination:

Content-Type: text/html Content-Disposition: attachment; filename=test.jpg

Firefox corrects the file name during the save process from test.jpg to test.jpg.html and you can open it as an HTML page rather than a corrupt JPEG image.

I don't know whether anyone has filed a bug. Normally security researchers would have done that before making a public disclosure but it is hard to search for security bugs.

If you want to file a new bug:

https://bugzilla.mozilla.org/

Funda le mpendulo kwimeko leyo 👍 0

All Replies (5)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 25 Contributor
more options

Can you link to information about that vulnerability? To prevent a delay in your post appearing, add a space before the .com or .org in your link. (Otherwise, the reply is sent to the link spam moderation queue.)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 25 Contributor
more options

Is it this one? https://besteffortteam.it/mozilla-firefox-content-type-confusion-unsafe-code-execution/

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 25 Contributor
more options

I think this is what they're doing:

https://www.jeffersonscher.com/res/test_jpg.php

Adding screenshot of download dialog:

Ilungisiwe ngu jscher2000 - Support Volunteer

cobbfan221
cobbfan221 Umnini wombuzo
more options

That was the site I saw about this issue but no official notice or fix which is what is needed.

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 25 Contributor
more options

Isisombululo esiKhethiweyo

If you use my test document you will see that Firefox 96 still works the same way: when the server indicates this combination:

Content-Type: text/html Content-Disposition: attachment; filename=test.jpg

Firefox corrects the file name during the save process from test.jpg to test.jpg.html and you can open it as an HTML page rather than a corrupt JPEG image.

I don't know whether anyone has filed a bug. Normally security researchers would have done that before making a public disclosure but it is hard to search for security bugs.

If you want to file a new bug:

https://bugzilla.mozilla.org/