Main

Restricted ports in Firefox. Why?

16 April 2008


Check this out: http://own-the.net:110 . In Firefox 3 beta 5 (my version, didn't check the rest), it will tell you this:

Port Restricted for Security Reasons

This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.

Now, I don't actually have a POP3 server running on port 110, so obviously Firefox filters these ports without thinking twice. I'm sure you're asking yourself "why?". That was my first response too, until I finally got it.

I'll demonstrate first. I've set up a small HTTP server (just a few lines of Java) on port 1025 (http://own-the.net:1025). All it does, is echo your request. This may seem legit, however, the funny thing is that it's obviously prone to XSS. Worse yet, cookies are sent to a specific domain or sub-domain, but not to a specific port. Thus, the cookies from the "normal" (port 80) site, are also sent to the port 1025 "page".

You can try and send some JS with the request, but I did put some filtering against a real attack.

(Note: In Firefox, requests are automatically URL encoded, so the simplest form of XSS won't work. On IE, however, it will.)

How is this relevant? Well, many servers are running different services on standard ports. FTP, SMTP, POP3, SSH... Lots of them. If any of those services could be tricked into echoing any of the data you send through an HTTP request, you'd be able to perform XSS.

Sadly(?), I didn't actually find a popular service that is prone to this, however, now I can understand the logic behind this annoying port restriction. The aforementioned services shouldn't be responsible for filtering HTML characters, as they are not intended to be used through a browser at all. Consequently, a good browser has to filter these ports out, or else security could be compromised.



Anyway, props to Mozilla for thinking of this in advance.

Posted by: kGen | In category: XSS | Comments (2)