Mozilla Port Blocking

  • Revision slug: Mozilla_Port_Blocking
  • Revision title: Mozilla Port Blocking
  • Revision id: 178494
  • Created:
  • Creator: Jimmatt
  • Is current revision? No
  • Comment /* Enabling Ports */

Revision Content

{{template.Outdated()}}

Background

On 08/15/2001, Cert issued a Vulnerability Note VU#476267 for a "Cross-Protocol" scripting attack, known as the HTML Form Protocol Attack which allowed sending arbitrary data to most TCP ports. A simple exploit of this hole allows an attacker to send forged unsigned mail through a mail server behind your firewall: A really nasty hole.

Mozilla quickly responded by modifying how protocols can access ports.

By default, Mozilla now blocks access to specific ports which are used by vulnerable services in order to prevent security vulnerabilites due to "Cross-Protocol Scripting". Each protocol's handler can override this blocking for itself in order to enable the required access for that protocol.

Potential Problems caused by Port Blocking

Port blocking can cause problems if a site or web application requires access to one of the ports which is blocked in Mozilla. If a user attempts to access a URI on a blocked port, Mozilla will issue the following alert:

Access to the port number given has been disabled for security reasons.

If your product or web site uses a port which is blocked by Mozilla's default port blocking rules, you can either change the port of your service to a unblocked value (recommended if possible) or ask your Mozilla users to enable the port. For details on which ports are blocked and how to override the blocking see below.

Modifying Mozilla's port blocking at Run time

Mozilla allows a user to modify the default port blocking through the addition of preferences containing comma delimited lists of port numbers to either the user.js file (for single users) file in the user's profile directory or the all.js file (for multi-user systems) in the defaults/pref/ sub-directory in the installation directory for Mozilla in order to enable or block ports in Mozilla.

user.js

user.js uses the user_pref(...) command to set preferences per user.

Enabling Ports
user_pref("network.security.ports.banned.override", "port1,port2,port7");
Disabling Ports
user_pref("network.security.ports.banned", "port3,port4");

all.js

all.js uses the pref(...) command to set preferences per multi-user installation.

Enabling Ports
pref("network.security.ports.banned.override", "port1,port2");
Disabling Ports
pref("network.security.ports.banned", "port3,port4");

Blocked Ports

Ports blocked by default in Mozilla:

Port Service
1 tcpmux
7 echo
9 discard
11 systat
13 daytime
15 netstat
17 qotd
19 chargen
20 ftp data
21 ftp control
22 ssh
23 telnet
25 smtp
37 time
42 name
43 nicname
53 domain
77 priv-rjs
79 finger
87 ttylink
95 supdup
101 hostriame
102 iso-tsap
103 gppitnp
104 acr-nema
109 POP2
110 POP3
111 sunrpc
113 auth
115 sftp
117 uucp-path
119 NNTP
123 NTP
135 loc-srv / epmap
139 netbios
143 IMAP2
179 BGP
389 LDAP
465 SMTP+SSL
512 print / exec
513 login
514 shell
515 printer
526 tempo
530 courier
531 chat
532 netnews
540 uucp
556 remotefs
563 NNTP+SSL
587 submission
601 syslog
636 LDAP+SSL
993 IMAP+SSL
995 POP3+SSL
2049 nfs
4045 lockd
6000 X11

Protocol Specific Exceptions

Each Protocol Handler can override the global blocked ports to allow it's own protocol to function.

Ports enabled by protocol handlers in Mozilla:

Protocol Handler Allowed Ports
FTP 21, 22
LDAP 389, 636
NNTP any port
POP3 any port
IMAP any port
SMTP any port
FINGER 79
DATETIME 13

How to Change Mozilla port blocking permanently

Since each protocol can determine which ports are blocked, you should contact the protocol handler owner to request that a specific port be blocked or unblocked. If that fails, contact dougt@netscape.com and/or darin@netscape.com.

You must have a good reason for the change, a deep understanding of the security risk involved and be able to justify it.

Things to do

  • Allow user preference to override default port blocking. Currently you need to add preferences to either user.js or all.js. See {{template.Bug(85601)}}.
  • Per protocol port blocking/enabling preferences
  • Better User Interface
    • Allow the user to decide if the blocking is really required.
    • Some kind of way to manage the ports which are blocked.

More Information

Original Document Information

  • Author(s): Doug Turner
  • Last Updated Date: August 15, 2007
  • Copyright Information: Portions of this content are © 1998–2007 by individual mozilla.org contributors; content available under a Creative Commons license | Details.

Revision Source

<p>{{template.Outdated()}}
</p>
<h3 name="Background"> Background </h3>
<p>On 08/15/2001, Cert issued a <a class="external" href="http://www.kb.cert.org/vuls/id/476267">Vulnerability Note VU#476267</a> for a "Cross-Protocol" scripting attack, known as the <a class="external" href="http://www.remote.org/jochen/sec/hfpa/">HTML Form Protocol Attack</a> which allowed sending arbitrary data to most TCP ports. A simple exploit of this hole allows an attacker to send forged unsigned mail through a mail server behind your firewall: A really nasty hole. 
</p><p>Mozilla quickly <a class="external" href="https://bugzilla.mozilla.org/show_bug.cgi?id=83401">responded</a> by modifying how protocols can access ports.
</p><p>By default, Mozilla now blocks access to specific ports which are used by vulnerable services in order to prevent security vulnerabilites due to "Cross-Protocol Scripting". Each protocol's handler can override this blocking for itself in order to enable the required access for that protocol.
</p>
<h3 name="Potential_Problems_caused_by_Port_Blocking"> Potential Problems caused by Port Blocking </h3>
<p>Port blocking can cause problems if a site or web application requires access to one of the ports which is blocked in Mozilla. If a user attempts to access a URI on a blocked port, Mozilla will issue the following alert:
</p>
<pre>Access to the port number given has been disabled for security reasons.</pre>
<p>If your product or web site uses a port which is blocked by Mozilla's default port blocking rules, you can either change the port of your service to a unblocked value (recommended if possible) or ask your Mozilla users to enable the port. For details on which ports are blocked and how to override the blocking see below.
</p>
<h3 name="Modifying_Mozilla.27s_port_blocking_at_Run_time"> Modifying Mozilla's port blocking at Run time </h3>
<p>Mozilla allows a user to modify the default port blocking through the addition of preferences containing comma delimited lists of port numbers to either the <code>user.js</code> file (for single users) file in the user's profile directory or the <code>all.js</code> file (for multi-user systems) in the <code>defaults/pref/</code> sub-directory in the installation directory for Mozilla in order to enable or block ports in Mozilla.
</p>
<h4 name="user.js"> <code class="filename">user.js</code> </h4>
<p><code class="filename">user.js</code> uses the <code>user_pref(...)</code> command to set preferences per user.
</p>
<h5 name="Enabling_Ports"> Enabling Ports </h5>
<pre>user_pref("network.security.ports.banned.override", "port1,port2,port7");</pre>
<h5 name="Disabling_Ports"> Disabling Ports </h5>
<pre>user_pref("network.security.ports.banned", "port3,port4");</pre>
<h4 name="all.js"> <code class="filename">all.js</code> </h4>
<p><code class="filename">all.js</code> uses the <code>pref(...)</code> command to set preferences per multi-user installation.
</p>
<h5 name="Enabling_Ports_2"> Enabling Ports </h5>
<pre>pref("network.security.ports.banned.override", "port1,port2");</pre>
<h5 name="Disabling_Ports_2"> Disabling Ports </h5>
<pre>pref("network.security.ports.banned", "port3,port4");</pre>
<h3 name="Blocked_Ports"> Blocked Ports </h3>
<p>Ports blocked by default in Mozilla:
</p>
<table summary="This table lists the ports blocked by default in Mozilla">

<tbody><tr>
<th>Port
</th><th>Service
</th></tr>
<tr>
<td>1
</td><td>tcpmux
</td></tr>
<tr>
<td>7
</td><td>echo
</td></tr>
<tr>
<td>9
</td><td>discard
</td></tr>
<tr>
<td>11
</td><td>systat
</td></tr>
<tr>
<td>13
</td><td>daytime
</td></tr>
<tr>
<td>15
</td><td>netstat
</td></tr>
<tr>
<td>17
</td><td>qotd
</td></tr>
<tr>
<td>19
</td><td>chargen
</td></tr>
<tr>
<td>20
</td><td>ftp data
</td></tr>
<tr>
<td>21
</td><td>ftp control
</td></tr>
<tr>
<td>22
</td><td>ssh
</td></tr>
<tr>
<td>23
</td><td>telnet
</td></tr>
<tr>
<td>25
</td><td>smtp
</td></tr>
<tr>
<td>37
</td><td>time
</td></tr>
<tr>
<td>42
</td><td>name
</td></tr>
<tr>
<td>43
</td><td>nicname
</td></tr>
<tr>
<td>53
</td><td>domain
</td></tr>
<tr>
<td>77
</td><td>priv-rjs
</td></tr>
<tr>
<td>79
</td><td>finger
</td></tr>
<tr>
<td>87
</td><td>ttylink
</td></tr>
<tr>
<td>95
</td><td>supdup
</td></tr>
<tr>
<td>101
</td><td>hostriame
</td></tr>
<tr>
<td>102
</td><td>iso-tsap
</td></tr>
<tr>
<td>103
</td><td>gppitnp
</td></tr>
<tr>
<td>104
</td><td>acr-nema
</td></tr>
<tr>
<td>109
</td><td>POP2
</td></tr>
<tr>
<td>110
</td><td>POP3
</td></tr>
<tr>
<td>111
</td><td>sunrpc
</td></tr>
<tr>
<td>113
</td><td>auth
</td></tr>
<tr>
<td>115
</td><td>sftp
</td></tr>
<tr>
<td>117
</td><td>uucp-path
</td></tr>
<tr>
<td>119
</td><td>NNTP
</td></tr>
<tr>
<td>123
</td><td>NTP
</td></tr>
<tr>
<td>135
</td><td>loc-srv / epmap
</td></tr>
<tr>
<td>139
</td><td>netbios
</td></tr>
<tr>
<td>143
</td><td>IMAP2
</td></tr>
<tr>
<td>179
</td><td>BGP
</td></tr>
<tr>
<td>389
</td><td>LDAP
</td></tr>
<tr>
<td>465
</td><td>SMTP+SSL
</td></tr>
<tr>
<td>512
</td><td>print / exec
</td></tr>
<tr>
<td>513
</td><td>login
</td></tr>
<tr>
<td>514
</td><td>shell
</td></tr>
<tr>
<td>515
</td><td>printer
</td></tr>
<tr>
<td>526
</td><td>tempo
</td></tr>
<tr>
<td>530
</td><td>courier
</td></tr>
<tr>
<td>531
</td><td>chat
</td></tr>
<tr>
<td>532
</td><td>netnews
</td></tr>
<tr>
<td>540
</td><td>uucp
</td></tr>
<tr>
<td>556
</td><td>remotefs
</td></tr>
<tr>
<td>563
</td><td>NNTP+SSL
</td></tr>
<tr>
<td>587
</td><td>submission
</td></tr>
<tr>
<td>601
</td><td>syslog
</td></tr>
<tr>
<td>636
</td><td>LDAP+SSL
</td></tr>
<tr>
<td>993
</td><td>IMAP+SSL
</td></tr>
<tr>
<td>995
</td><td>POP3+SSL
</td></tr>
<tr>
<td>2049
</td><td>nfs
</td></tr>
<tr>
<td>4045
</td><td>lockd
</td></tr>
<tr>
<td>6000
</td><td>X11
</td></tr></tbody></table>
<h3 name="Protocol_Specific_Exceptions"> Protocol Specific Exceptions </h3>
<p>Each Protocol Handler can override the global blocked ports to allow it's own protocol to function.
</p><p>Ports enabled by protocol handlers in Mozilla:
</p>
<table summary="This table lists the ports enabled by specific protocol handlers in Mozilla">

<tbody><tr>
<th>Protocol Handler
</th><th>Allowed Ports
</th></tr>
<tr>
<td>FTP
</td><td>21, 22
</td></tr>
<tr>
<td>LDAP
</td><td>389, 636
</td></tr>
<tr>
<td>NNTP
</td><td>any port
</td></tr>
<tr>
<td>POP3
</td><td>any port
</td></tr>
<tr>
<td>IMAP
</td><td>any port
</td></tr>
<tr>
<td>SMTP
</td><td>any port
</td></tr>
<tr>
<td>FINGER
</td><td>79
</td></tr>
<tr>
<td>DATETIME
</td><td>13
</td></tr></tbody></table>
<h3 name="How_to_Change_Mozilla_port_blocking_permanently"> How to Change Mozilla port blocking permanently </h3>
<p>Since each protocol can determine which ports are blocked, you should contact the protocol handler owner to request that a specific port be blocked or unblocked.  If that fails, contact <a class="external" href="mailto:dougt@netscape.com">dougt@netscape.com</a> and/or <a class="external" href="mailto:darin@netscape.com">darin@netscape.com</a>. 
</p><p>You must have a good reason for the change,  a deep understanding of the security risk involved and be able to justify it.
</p>
<h3 name="Things_to_do"> Things to do </h3>
<ul><li> Allow user preference to override default port blocking. Currently you need to add preferences to either <code>user.js</code> or <code>all.js</code>. See {{template.Bug(85601)}}.
</li><li> Per protocol port blocking/enabling preferences
</li><li> Better User Interface
<ul><li> Allow the user to decide if the blocking is really required. 
</li><li> Some kind of way to manage the ports which are blocked.
</li></ul>
</li></ul>
<h3 name="More_Information"> More Information </h3>
<ul><li> {{template.Source("netwerk/base/src/nsIOService.cpp#87", "nsIOService.cpp gbadPortList")}}
</li><li> {{template.Bug(83401)}}
</li><li> <a class="external" href="http://www.kb.cert.org/vuls/id/476267">Vulnerability Note VU#476267</a>
</li><li> <a class="external" href="mailto:dougt@netscape.com">dougt@netscape.com</a>
</li></ul>
<div class="originaldocinfo">
<h2 name="Original_Document_Information"> Original Document Information </h2>
<ul><li> Author(s): <a class="external" href="mailto:dougt@netscape.com">Doug Turner</a>
</li><li> Last Updated Date: August 15, 2007
</li><li> Copyright Information: Portions of this content are © 1998–2007 by individual mozilla.org contributors; content available under a Creative Commons license | <a class="external" href="http://www.mozilla.org/foundation/licensing/website-content.html">Details</a>.
</li></ul>
</div>
Revert to this revision