Navigation blocked on port 10080
Categories
(Core :: Networking, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | affected |
| firefox86 | --- | affected |
| firefox87 | --- | affected |
People
(Reporter: enrico.amisano, Unassigned)
References
(Regression)
Details
(Keywords: regression)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Steps to reproduce:
good morning
From 2 hours, installing release 85, navigation is impossible using port other than 80.
Firefox lock navigation with these messages:
This address is blocked
This address uses a network port normally intended for purposes other than web browsing. Firefox canceled the request for security reasons.
My question is: why this choise ?
We are using an ERP system on port 10080 and nothis function
This is a bug or it is an intentional change ?
Our Erp system in this moment is unusable.
Many thanks
Expected results:
Remove this restriction.
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
This was an intentional change to prevent the attacks.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
CVE-2021-23961
I'm not sure that expanding bad port list scales. How can we prevent malicious sites from detecting local HTTP server?
|
||
Comment 3•5 years ago
|
||
Masatoshi: Fully agree it doesn't scale. We know we stopped an attack, but we certainly didn't solve the underlying problem.
But maybe with something like https://wicg.github.io/cors-rfc1918/? (a bit more details at Chrome's plan on shipping this at https://web.dev/cors-rfc1918-feedback/)
|
|
||
Comment 4•5 years ago
|
||
Enrico, thank you filing this report. Would you be able to share what ERP system is affected? I understand you might not be.
I have a similar problem with this change. I have thousands of CPE with their management port on 10080. Of course not accessible from the internet.
But i need to manage them.
Is there any option in about:config that will allow me to use port 10080 again?
|
|
||
Comment 6•5 years ago
|
||
| workaround | ||
Sorry for the inconvenience this is causing.
- Go to about:config
- Create a new pref of type String with the name
network.security.ports.banned.override - Add the required ports as the preference value (you can also add multiple as a comma-separated list or as ranges).
This change does not require a restart.
Thanks its working.
Sorry for this spam but there is no thanks or kudos button.
|
||
Updated•5 years ago
|
|
|
||
Comment 10•4 years ago
|
||
Chrome plans to blog port 10080 as well: https://chromestatus.com/feature/6510270304223232
|
||
Comment 11•4 years ago
|
||
This will make many poeple step away from FF.
I understand the security concerns. But then there should be an easy to use exception list and not the urge to creating configuration entries.
Please, reconsider your approach.
|
|
||
Comment 12•4 years ago
|
||
Martin, we did not make this decision lightly. This underwent significant scrutiny from all major browser vendors and is becoming part of the relevant web standards because there are no simpler ways to prevent these attacks. Chrome and Safari will follow block these ports too.
I understand this is confusing and annoying, but those exceptions have to be on a per-port basis and once you allow-list a port for all websites, you are reopening the flood gates for these attacks.
You can disable (as outlined in comment 6 above) but to not become vulnerable again you have to ensure your routers aren't susceptible and your device is always talking to these safe routers (what about laptops and wifis?)
For more information, please take a look at
- for info about the attack: https://samy.pl/slipstream/
- our related security advisory https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/#CVE-2021-23961
- for chrome's plans to follow us: https://chromestatus.com/feature/6510270304223232
- discussions in the WHATWG standards group: https://github.com/whatwg/fetch/pull/1148
|
|
||
Comment 13•4 years ago
|
||
Frederik, I really understand the goal.
There are many applications out there that use a local web server on any port. If you block all non standard ports, the user who is not necessarily allowed to edit the configuration or barely has the knowledge needs to have it fixed by a tech. This is not user friendly at all. On the other hand, if a malware is able to install itself locally, why should it not adjust the preferencies? In my eyes the whole approach is not secure but only user unfriendly. If you go as far as blocking all non standard ports, then the allowed exceptions of hosts/ports should be handled like the certificates: in a protected store. If the config just overrides a port, why should that port be safe on all servers?
|
|
||
Comment 14•4 years ago
|
||
You might not understand it in full: First, we do not block all non-standard ports. We have merely been extending the existing ban for some additional ones.
Secondly, this attack does not require malware on the system. The attack can be carried out by any evil web page the user is visiting, as long as the browser is able to make outbound connections to any of the affected ports (see also https://fetch.spec.whatwg.org/#port-blocking).
|
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
Description
•