Chuck Esterbrook wrote: > > I want to browse a machine on my LAN whose web server runs off port 79. > I can do so with the lynx, konqueror and opera browsers, as I expect. > > But both Mozilla (0.9.4) and Galeon (0.12.1) browsers instantly bring > up a dialog that says: > > "Access to the port number given has been disabled for security reasons" > > I'm on Linux/Mandrake 8.1. > > Any ideas? > > -Chuck
Lord, is this defect *still* there? What's going on here is almost beyond belief, but it's all there in years-old newsgroup articles if you care to dig around (Bugzilla will probably come up empty, this was (well, "is" I guess) pretty embarassing to the Powers That Be). Mozilla blocks these ports because *it can't properly parse URLs*. No, I'm not kidding. The problem is that a malicious, invalid URL can be given to Mozilla, and Mozilla will pass it *unchecked* to lower levels. Once down there, what can happen is that an URL (which again is completely invalid and could have been easily rejected the second it got to the "OpenThisURL()" level) can point to, say, your telnet[1] server port, and *commands* in the malformed URL can be executed. So in typical Mozilla fashion, instead of solving the problem once and for all by spending ten seconds fixing the URL parser, AOL decides to have Mozilla block certain ports and figures that'll be good enough. All this was done in secret, and knowledge of it was dug up by people on the Mozilla newsgroups only later; AFAIR no official AOL employee ever said a word about this, and I know for a fact these "smoky room" shenanigans were uncovered by non-AOL people (I seem to recall it was Mr. Jones, CET, but my memory may be letting me down there). [1] I don't recall if it's telnet that's actually vulnerable to this sort of zero-effort attack via Mozilla, but something definitely is, and that's why particular ports are blocked.
