Closed Bug 1640534 Opened 5 years ago Closed 5 years ago

Do not allow access to local ports / hosts from non-locally-hosted websites

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
76 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 354493

People

(Reporter: masterwayz, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

  1. Visit a website like ebay.com

Actual results:

Obverse under F12 --> Network, that there are GET requests to 127.0.0.1:xxxx (RDP, VNC and other ports). (Screenshot: https://d3tglj54urvz7a.cloudfront.net/firefox_UbWDh9kJlr.png )

Expected results:

I think it shouldn't be allowed for a website to port scan a computer. (or maybe even an entire network?)

I can't reproduce (tested on macOS). Can you reproduce in a separate, clean Firefox profile ( https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles ) ?

Flags: needinfo?(michael)

I have. On Windows 10, I was able to reproduce this with a new and clean Firefox profile.
On my Mac OS VM, it indeed does not do that. But on my Windows VMs (and main PC, with a clean Firefox profile), it does do that.

Flags: needinfo?(michael)

So apparently this got filed in response to https://www.ghacks.net/2020/05/25/ebay-is-port-scanning-your-system-when-you-load-the-webpage/ which is public, so no point keeping this restricted. Other browsers do exactly the same thing.

In future, please clarify sources like this.

We have bugs on file to try to tighten restrictions around this. bug 1481298 / bug 354493 are probably closest.

Anne, is there any point keeping this open separately?

Group: firefox-core-security
Component: Untriaged → Networking
Flags: needinfo?(annevk)
Product: Firefox → Core
Summary: Firefox allows portscanning of a computer from a website. → Do not allow access to local ports / hosts from non-locally-hosted websites

My apologies, I couldn't find a bug like it when using the section you get during bug creation, and with checking the security checkmark, I just wanted to be sure. I just found it out myself, hadn't looked on the internet to look for things like that. My first focus was to report it to Firefox and since during the initial search that happens when creating a bug nothing was found, I wanted to make the bug first before anything else, just to be sure. My apologies for that, I didn't mean to make those mistakes, I just wanted to be safe than sorry.

Michael, that's the right approach and I hope this doesn't dissuade you from reporting a bug again.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(annevk)
Resolution: --- → DUPLICATE

(In reply to Michael Goossens from comment #4)

My apologies, I couldn't find a bug like it when using the section you get during bug creation, and with checking the security checkmark, I just wanted to be sure. I just found it out myself, hadn't looked on the internet to look for things like that.

No worries, and don't feel bad about the duplicate bug, either! It must have taken me at least 15 minutes of searching with lots of different keywords to find these bugs - I just happened to remember they existed. Bugzilla search is sometimes not amazing.

You need to log in before you can comment on or make changes to this bug.