239121 - Unblock port 1080

Status: VERIFIED FIXED

(Core :: Security, defect)

Description

[Christopher Aillon (sabbatical, not receiving bugmail)]

Tentatively marking as security-sensitive.

I'd like for us to consider unblocking port 1080.  Bbaetz says SOCKS (the most
common port-1080 application) is a binary protocol, so there's no risk of a
malicious site using a SOCKS server on behalf of a visitor.  Other browsers
don't block port 1080 and 1080 is a fairly common http port.  For example. it is
used by the 3ware raid configuration tool.

Also, the exploit that seems to be based on SOCKS was on port 2080, not 1080. 
See http://www.securityfocus.com/bid/509/exploit/ (have we been blocking the
wrong port?)

Comment 1

[Doug Turner (:dougt)]

Bbaetz, what say you.  looking back at my notes, suggest that we agreed that
1080 could be blocked.

Comment 2

[Bradley Baetz (:bbaetz)]

Err, no. I was always against 1080 being blocked. The orignal list I came up
with was taken from the ns4 list of blocked ports, plus port 587.

See (for example) bug 92769 comment 22

Comment 3

[Doug Turner (:dougt)]

that is good enough for me.  I say we unblock for the next release.

Comment 4

[Doug Turner (:dougt)]

Attachment: proposed patch

Comment 5

[Bradley Baetz (:bbaetz)]

Comment on attachment 145077 [details] [diff] [review]
proposed patch

(Actually, it may have been more than just 1080 and 587 we added. I can't
really recall. 1080 is the only one people ahve complained about, though.)

r=bbaetz

Comment 6

[Darin Fisher]

Comment on attachment 145077 [details] [diff] [review]
proposed patch

sr=darin

Comment 7

[chris hofmann]

Comment on attachment 145077 [details] [diff] [review]
proposed patch

a=chofmann for 1.7

Comment 8

[Doug Turner (:dougt)]

Checking in nsIOService.cpp;
/cvsroot/mozilla/netwerk/base/src/nsIOService.cpp,v  <--  nsIOService.cpp
new revision: 1.170; previous revision: 1.169
done

Marking fixed. 

Comment 9

[Jesse Ruderman]

*** Bug 92769 has been marked as a duplicate of this bug. ***

Comment 10

[Jesse Ruderman]

The only potentially security-sensitive thing that came up here was:

> Also, the exploit that seems to be based on SOCKS was on port 2080, not 1080. 
> See http://www.securityfocus.com/bid/509/exploit/ (have we been blocking the
> wrong port?)

Is that worth keeping this bug marked as security-sensitive?  Should a bug be
filed for blocking 2080?  (I don't think 2080 needs to be blocked -- the problem
is the buffer overflow in an old version of Wingate, not that the exploit can
appear to come from a Mozilla user visiting a malicious site.)

Comment 11

[benc]

-> security
qa to me, allplats, for 1.7f

Comment 12

[Daniel Veditz [:dveditz]]

Not an exploit. No one has stepped up to defend keeping this confidential and we
default to openness without good reason otherwise --> removing flag

Comment 13

[benc]

V/fixed. Mozilla 1.7RC2, Linux

Comment 14

[benc]

VERIFIED: Windows XP, 1.7RC2.

Comment 15

[Christopher Aillon (sabbatical, not receiving bugmail)]

Comment on attachment 145077 [details] [diff] [review]
proposed patch

Very low risk, high gain for this as this fix will allow 3ware raid
configuration software to work.

a=blizzard for 1.4.3

Comment 16

[Christopher Aillon (sabbatical, not receiving bugmail)]

I just checked this into the 1.4 branch.