Last Comment Bug 190532 - IRC may need port restriction to avoid SMTP exploit
: IRC may need port restriction to avoid SMTP exploit
Status: RESOLVED FIXED
:
Product: Other Applications
Classification: Client Software
Component: ChatZilla (show other bugs)
: Trunk
: x86 Windows 2000
: -- normal (vote)
: ---
Assigned To: Robert Ginda
: Samuel Sieb
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-24 14:05 PST by Mitchell Stoltz (not reading bugmail)
Modified: 2004-11-23 18:54 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch (3.69 KB, patch)
2003-02-04 11:29 PST, Robert Ginda
darin.moz: review+
dbaron: approval1.3b+
Details | Diff | Review

Description Mitchell Stoltz (not reading bugmail) 2003-01-24 14:05:19 PST
From Georgi:
   We may want to restrict the ports that IRC can use, since it might be
possible to use a link like
<a href="irc://localhost:25">IRC TO localhost:smtp</a>
to send mail in another user's name, similar to a problem we once had with Gopher.
Comment 1 Robert Ginda 2003-02-03 18:59:22 PST
I don't see how it would be possible to send anything that looks like SMTP over
irc:, but I could be wrong.

http://lxr.mozilla.org/mozilla/source/extensions/irc/js/lib/chatzilla-service.js#171

It looks to me that chatzilla shouldn't allow connections over questionable
ports, but I've never actually seen this function get called.  Mitch, what's the
deal with nsIProtocolHandler.allowPort?  Is it only supposed to be called for
questionable ports, or all ports?  Any idea why it isn't being called for me?
Comment 2 Darin Fisher 2003-02-03 19:29:56 PST
rob: you need to call nsIIOService::allowPort from your implementation of
newChannel if you want to use the standard port blocking mechanism. 
nsIOService::AllowPort will invoke your nsIProtocolHandler::allowPort to give
you the opportunity to override a port that the io service would otherwise
block.  see nsIIOService.idl and nsIProtocolHandler.idl for more details.  this
stuff is sort of documented there.
Comment 3 Darin Fisher 2003-02-03 19:31:07 PST
btw: this issue is not just with SMTP... we generally block other ports as well.
 the list is in nsIOService.cpp.
Comment 4 Robert Ginda 2003-02-04 11:29:03 PST
Created attachment 113511 [details] [diff] [review]
patch

Patch uses allowPort as described by darin.  I also took the opportunity to
remove some of the aUseless aArgument aPrefixes that I hate so much in
JavaScript.
Comment 5 Darin Fisher 2003-02-04 12:24:22 PST
Comment on attachment 113511 [details] [diff] [review]
patch

r/sr=darin (looks good!)

i really wish we had chosen different names for nsIIOService::allowPort and
nsIProtocolHandler::allowPort, since the sense of the return value is
inconsistent :-(

the protocol handler one should have been called something like
"overridePortBan" or something more to the point.
Comment 6 Robert Ginda 2003-02-04 17:28:35 PST
checked in.
Comment 7 Daniel Veditz [:dveditz] 2004-07-20 04:47:16 PDT
Bugs published on the Known-vulnerabilities page long ago, removing confidential
flag.

Note You need to log in before you can comment on or make changes to this bug.