[linux-elitists] Yet another mozilla atrocity

Michael Bacarella mbac@netgraft.com
Sun Sep 28 20:50:38 PDT 2003


> > I got a useless message saying "this port has been blocked for
> > security reasons". It turns out that this is considered a feature,
> > for no reason that I can understand. It is described at
> > http://www.mozilla.org/projects/netlib/PortBanning.html. Judging by
> > the port list, it looks like there is no real security reason to block
> > those ports, merely some developers who thought "Hmm, no one would run
> > a HTTP server on those ports. We'd better block them." I still don't
> > see the logic, though. As usual, there are no useful preference items.
> 
> It's not the job of a browser to block ports!  Idiots.

>From the cited page, first paragraph:

"On 08/15/2001, Cert issued a Vulnerability Note VU#476267  for
a "Cross-Protocol" scripting attack, known as the HTML Form Protocol
Attack which allowed sending arbitrary data to most TCP ports. A simple
exploit of this hole allows an attacker to send forged unsigned mail
through a mail server behind your firewall: A really nasty hole.

"Mozilla quickly responded by modifying how protocols can access ports.

"By default, Mozilla now blocks access to specific ports which are
used by vulnerable services in order to prevent security vulnerabilites
due to "Cross-Protocol Scripting". Each protocol's handler can override
this blocking for itself in order to enable the required access for
that protocol."

They're not saying "no one would need to run an http server on this
port, lets disable them!", they're saying "it'd be really REALLY bad
if we let any web site send data to any host behind your firewall".

Fortunately, if you need to access these ports, there are instructions
on enabling access not six pararaphs down.

Perhaps you should watch who you call idiots.

-M 



More information about the linux-elitists mailing list