Closed Bug 1815204 Opened 1 year ago Closed 1 year ago

Extension sanitization (.lnk, .local) bypass using pipe (|)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1815062

People

(Reporter: haxatron1, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Currently, Firefox (1) removes all | operators from filenames.

It also (2) renames any file ending with .lnk to .download. (https://www.mozilla.org/en-US/security/advisories/mfsa2022-30/#CVE-2022-36314)

The behaviour (1) can be used to bypass (2)

Example: The filename "test.lnk|||" will get saved as "test.lnk" which bypasses behaviour (2) even on the latest Nightly build 111.0a1 (2023-02-05) (64-bit)

Can test using: https://haxatron-server.glitch.me/hashleak-2.html

Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2023-29542
Resolution: --- → DUPLICATE

This bug was filed within the "collision window" specified in our bug bounty program. We are awarding a bounty split with the reporter of bug 1815062

Flags: sec-bounty? → sec-bounty+
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.