Closed
Bug 1815204
Opened 1 year ago
Closed 1 year ago
Extension sanitization (.lnk, .local) bypass using pipe (|)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1815062
People
(Reporter: haxatron1, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Currently, Firefox (1) removes all | operators from filenames.
It also (2) renames any file ending with .lnk to .download. (https://www.mozilla.org/en-US/security/advisories/mfsa2022-30/#CVE-2022-36314)
The behaviour (1) can be used to bypass (2)
Example: The filename "test.lnk|||" will get saved as "test.lnk" which bypasses behaviour (2) even on the latest Nightly build 111.0a1 (2023-02-05) (64-bit)
Can test using: https://haxatron-server.glitch.me/hashleak-2.html
Flags: sec-bounty?
Updated•1 year ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2023-29542
Resolution: --- → DUPLICATE
Comment 2•1 year ago
|
||
This bug was filed within the "collision window" specified in our bug bounty program. We are awarding a bounty split with the reporter of bug 1815062
Flags: sec-bounty? → sec-bounty+
Updated•6 months ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•