Mozilla Port Blocking
Contents
- Background
- Potential Problems caused by Port Blocking
- Modifying Mozilla's port blocking at Run Time
- Blocked Ports
- Protocol Specific Exceptions
- How to Change Mozilla port blocking permanently
- Things to do
- More Information
Background
On 08/15/2001, Cert issued a Vulnerability Note VU#476267 for a "Cross-Protocol" scripting attack, known as the HTML Form Protocol Attack which allowed sending arbitrary data to most TCP ports. A simple exploit of this hole allows an attacker to send forged unsigned mail through a mail server behind your firewall: A really nasty hole.
Mozilla quickly responded by modifying how protocols can access ports.
By default, Mozilla now blocks access to specific ports which are used by vulnerable services in order to prevent security vulnerabilites due to "Cross-Protocol Scripting". Each protocol's handler can override this blocking for itself in order to enable the required access for that protocol.
Potential Problems caused by Port Blocking
Port blocking can cause problems if a site or web application requires access to one of the ports which is blocked in Mozilla. If a user attempts to access a URI on a blocked port, Mozilla will issue the following alert:
Access to the port number given has been disabled for security reasons.
If your product or web site uses a port which is blocked by Mozilla's default port blocking rules, you can either change the port of your service to a unblocked value (recommended if possible) or ask your Mozilla users to enable the port. For details on which ports are blocked and how to override the blocking see below.
Modifying Mozilla's port blocking at Run time
Mozilla allows a user to modify the default port blocking through the addition
of preferences containing comma delimited lists of port numbers to either the
user.js file (for single users) file in the user's profile directory
or the all.js file (for multi-user systems) in the defaults/pref/
sub-directory in the installation directory for Mozilla in order to enable or
block ports in Mozilla.
user.js
user.js uses the user_pref(...) command to set preferences
per user.
Enabling Ports
user_pref("network.security.ports.banned.override", "port1,port2");
Disabling Ports
user_pref("network.security.ports.banned", "port3,port4");
all.js
all.js uses the pref(...) command to set preferences per multi-user
installation.
Enabling Ports
pref("network.security.ports.banned.override", "port1,port2");
Disabling Ports
pref("network.security.ports.banned", "port3,port4");
Blocked Ports
| Port | Service |
|---|---|
| 1 | tcpmux |
| 7 | echo |
| 9 | discard |
| 11 | systat |
| 13 | daytime |
| 15 | netstat |
| 17 | qotd |
| 19 | chargen |
| 20 | ftp data |
| 21 | ftp control |
| 22 | ssh |
| 23 | telnet |
| 25 | smtp |
| 37 | time |
| 42 | name |
| 43 | nicname |
| 53 | domain |
| 77 | priv-rjs |
| 79 | finger |
| 87 | ttylink |
| 95 | supdup |
| 101 | hostriame |
| 102 | iso-tsap |
| 103 | gppitnp |
| 104 | acr-nema |
| 109 | POP2 |
| 110 | POP3 |
| 111 | sunrpc |
| 113 | auth |
| 115 | sftp |
| 117 | uucp-path |
| 119 | NNTP |
| 123 | NTP |
| 135 | loc-srv / epmap |
| 139 | netbios |
| 143 | IMAP2 |
| 179 | BGP |
| 389 | LDAP |
| 465 | SMTP+SSL |
| 512 | print / exec |
| 513 | login |
| 514 | shell |
| 515 | printer |
| 526 | tempo |
| 530 | courier |
| 531 | chat |
| 532 | netnews |
| 540 | uucp |
| 556 | remotefs |
| 563 | NNTP+SSL |
| 587 | submission |
| 601 | syslog |
| 636 | LDAP+SSL |
| 993 | IMAP+SSL |
| 995 | POP3+SSL |
| 2049 | nfs |
| 4045 | lockd |
| 6000 | X11 |
Protocol Specific Exceptions
Each Protocol Handler can override the global blocked ports to allow it's own protocol to function.
| Protocol Handler | Allowed Ports |
|---|---|
| FTP | 21, 22 |
| LDAP | 389, 636 |
| NNTP | any port |
| POP3 | any port |
| IMAP | any port |
| SMTP | any port |
| FINGER | 79 |
| DATETIME | 13 |
How to Change Mozilla port blocking permanently
Since each protocol can determine which ports are blocked, you should contact the protocol handler owner to request that a specific port be blocked or unblocked. If that fails, contact dougt@netscape.com and/or darin@netscape.com.
You must have a good reason for the change, a deep understanding of the security risk involved and be able to justify it.
Things to do
- Allow user preference to override default port blocking. Currently
you need to add preferences to either
user.jsorall.js. See Bug 85601. - Per protocol port blocking/enabling preferences
- Better User Interface
- Allow the user to decide if the blocking is really required.
- Some kind of way to manage the ports which are blocked.