We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

"Content-Type" header code execution

more options

We are looking to find a fix for the code execution bug found in May of 2021:

Mozilla Firefox is vulnerable to code execution by a remote attacker who can convince a user to open a malicious file. By manipulating the "Content-Type" header of a file the attacker can cause Firefox to execute scripts concealed in files that appear to be of non-executable types.

We are looking to find a fix for the code execution bug found in May of 2021: Mozilla Firefox is vulnerable to code execution by a remote attacker who can convince a user to open a malicious file. By manipulating the "Content-Type" header of a file the attacker can cause Firefox to execute scripts concealed in files that appear to be of non-executable types.

被選擇的解決方法

If you use my test document you will see that Firefox 96 still works the same way: when the server indicates this combination:

Content-Type: text/html Content-Disposition: attachment; filename=test.jpg

Firefox corrects the file name during the save process from test.jpg to test.jpg.html and you can open it as an HTML page rather than a corrupt JPEG image.

I don't know whether anyone has filed a bug. Normally security researchers would have done that before making a public disclosure but it is hard to search for security bugs.

If you want to file a new bug:

https://bugzilla.mozilla.org/

從原來的回覆中察看解決方案 👍 0

所有回覆 (5)

more options

Can you link to information about that vulnerability? To prevent a delay in your post appearing, add a space before the .com or .org in your link. (Otherwise, the reply is sent to the link spam moderation queue.)

more options
more options

I think this is what they're doing:

https://www.jeffersonscher.com/res/test_jpg.php

Adding screenshot of download dialog:

由 jscher2000 - Support Volunteer 於 修改

more options

That was the site I saw about this issue but no official notice or fix which is what is needed.

more options

選擇的解決方法

If you use my test document you will see that Firefox 96 still works the same way: when the server indicates this combination:

Content-Type: text/html Content-Disposition: attachment; filename=test.jpg

Firefox corrects the file name during the save process from test.jpg to test.jpg.html and you can open it as an HTML page rather than a corrupt JPEG image.

I don't know whether anyone has filed a bug. Normally security researchers would have done that before making a public disclosure but it is hard to search for security bugs.

If you want to file a new bug:

https://bugzilla.mozilla.org/