mozilla
Your Search Results

    Mozilla Port Blocking

    Warning: The content of this article may be out of date.

    Background

    On 08/15/2001, Cert issued a Vulnerability Note VU#476267 for a "Cross-Protocol" scripting attack, known as the HTML Form Protocol Attack which allowed sending arbitrary data to most TCP ports. A simple exploit of this hole allows an attacker to send forged unsigned mail through a mail server behind your firewall: A really nasty hole.

    Mozilla responded by modifying how protocols can access ports.

    By default, Mozilla now blocks access to specific ports which are used by vulnerable services in order to prevent security vulnerabilites due to "Cross-Protocol Scripting". Each protocol's handler can override this blocking for itself in order to enable the required access for that protocol.

    Potential Problems caused by Port Blocking

    Port blocking can cause problems if a site or web application requires access to one of the ports which is blocked in Mozilla. If a user attempts to access a URI on a blocked port, Mozilla shows one of the following alerts to the user or in the Error Console.

    "Access to the port number given has been disabled for security reasons."
    "Establishing a connection to an unsafe or otherwise banned port was prohibited"  
    "0x804b0013 (NS_ERROR_PORT_ACCESS_NOT_ALLOWED)"

    If your product or web site uses a port which is blocked by Mozilla's default port blocking rules, you can either change the port of your service to a unblocked value (recommended if possible) or ask your Mozilla users to enable the port. For details on which ports are blocked and how to override the blocking see below.

    Modifying Mozilla's port blocking at Run time

    Users can modify the default port blocking through the addition of preferences containing comma delimited lists of port numbers to the user.js file (for single users with the user_pref(…) command) in the user's profile directory. See the example below. Additionaly administrators can edit the all.js file (for multi-user systems with pref(…) ) in the defaults/pref/ sub-directory in the installation directory.

    Enabling Ports
    user_pref("network.security.ports.banned.override, "port1,port2");
    
    Disabling Ports
    user_pref("network.security.ports.banned", "port3,port4");

    Blocked Ports

    Ports blocked by default in Mozilla:

    Port Service
    1 tcpmux
    7 echo
    9 discard
    11 systat
    13 daytime
    15 netstat
    17 qotd
    19 chargen
    20 ftp data
    21 ftp control
    22 ssh
    23 telnet
    25 smtp
    37 time
    42 name
    43 nicname
    53 domain
    77 priv-rjs
    79 finger
    87 ttylink
    95 supdup
    101 hostriame
    102 iso-tsap
    103 gppitnp
    104 acr-nema
    109 POP2
    110 POP3
    111 sunrpc
    113 auth
    115 sftp
    117 uucp-path
    119 NNTP
    123 NTP
    135 loc-srv / epmap
    139 netbios
    143 IMAP2
    179 BGP
    389 LDAP
    465 SMTP+SSL
    512 print / exec
    513 login
    514 shell
    515 printer
    526 tempo
    530 courier
    531 chat
    532 netnews
    540 uucp
    556 remotefs
    563 NNTP+SSL
    587 submission
    601 syslog
    636 LDAP+SSL
    993 IMAP+SSL
    995 POP3+SSL
    2049 nfs
    4045 lockd
    6000 X11

    Protocol Specific Exceptions

    Each Protocol Handler can override the global blocked ports to allow it's own protocol to function.

    Ports enabled by protocol handlers in Mozilla:

    Protocol Handler Allowed Ports
    FTP 21, 22
    LDAP 389, 636
    NNTP any port
    POP3 any port
    IMAP any port
    SMTP any port
    FINGER 79
    DATETIME 13

    How to Change Mozilla port blocking permanently

    Since each protocol can determine which ports are blocked, you should contact the protocol handler owner to request that a specific port be blocked or unblocked. If that fails, contact dougt@netscape.com and/or darin@netscape.com.

    You must have a good reason for the change, a deep understanding of the security risk involved and be able to justify it.

    Things to do

    • Allow user preference to override default port blocking. Currently you need to add preferences to either user.js or all.js. See bug 85601.
    • Per protocol port blocking/enabling preferences.
    • Better User Interface
      • Allow the user to decide if the blocking is really required.
      • Some kind of way to manage the ports which are blocked.

    More Information

    Original Document Information

    • Author(s): Doug Turner
    • Last Updated Date: August 15, 2007
    • Copyright Information: Portions of this content are © 1998–2007 by individual mozilla.org contributors; content available under a Creative Commons license | Details.

     

    Document Tags and Contributors

    Contributors to this page: Jimmatt, Hb, kohei.yoshino
    Last updated by: Hb,