Closed
Bug 147890
Opened 22 years ago
Closed 22 years ago
Access to port 7 (echo) is disabled.
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
People
(Reporter: bwucke+bug, Unassigned)
References
()
Details
To reproduce: 1. Enter the URL above. Actual results: "Access to this port has been disabled for security reasons" requester is displayed. Expected results: "Access denied" requester is displayed. If the host was actually running the echo service, all the headers sent by the browser should be displayed. If the remote server runs some other service, like http or ftp on port 7, normal connection should be estabilished. Ican't really see, what "security reasons" make you disable this port. It's very comfortable for debugging purposes to visit a friendly host with echo enabled, just to see what your browser says upon connecting. It also disables all valid services running on this port, and this kind of protection is kinda lame, since one can run echo on different port and it will be possible to connect to it flawlessly. IMHO this just limits the freedom of the free software, restricting the user from using the software for certain purposes.
Comment 1•22 years ago
|
||
There is a pref for overriding the blocking. See bug 85601 *** This bug has been marked as a duplicate of 92769 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Please read comment 3 to bug 85601. Although I agree that this "security" thing is pretty moronish. Well, after all, the sourcesa are open, so we can get 'em and recompile it the way we want...
Comment 3•22 years ago
|
||
This is to protect the _server_ from the _client_. That is, to protect echo servers from buffer overrun attacks by Mozilla, for example.
Reporter | ||
Comment 4•22 years ago
|
||
The sources are under heavy development, patching nev version before recompiling every few days is no fun. Besides, there's a ton of other techniques. That's true owner of a page that's visited frequently enough can set up a small script that launches in some hidden frame, flooding the target server from machines of all clients that visit that page. With enough of them, the DDoS attack would get quite effective. There's one problem though: Why the hell would he use such low-CPU and bandwidth-intensive services like Echo, Discard, Daytime or Finger, if he could flood port 80 with much better effect? You should immediately and unconditionally add port 80 to the black list! ;)
-> security V/dupe.
Status: RESOLVED → VERIFIED
Component: Networking → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•