HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Firefox port "number" bugs... phishing potential?

We generally assume proper TCP port validation restricts them from 1 to 65535 (except in some offbeat cases). With some applications and operating systems, a name can be used to represent a port. For example, on a *nix system, telnet can connect to port 21 with the command “telnet localhost ftp” by looking up “ftp” in /etc/services.

Web browsers typically only handle numbers, and don’t do the name translation. So, typing in an alpha string for a port number should generate an error…right? Not necessarily.

It turns out that in Firefox (up to 3.5), if you provide a string as port number it is simply ignored. This makes some amount of sense—it’s not a number, so discard it. However, if history has taught us anything, even the slightest deception will be abused by the phishing crowd. Consider the following URL:


It’s fairly easy to miss that it’s not “secure.login.server.at.hp.com” but rather “secure.login.server.at” with a port number of “example.com.” Someone causally checking out their links might miss that one. In this case, the alpha string should not just be ignored, but an error presented to the user.

Phishing threat aside, there was also another odd bug in Firefox’s port number handling: very large numbers wrap around a buffer, such that you can work your way right back to the standard range by simply incrementing the number properly. The following, obviously invalid port, actually works in Firefox (below 3.07):


And it takes you to port 80 on hp.com. To convince yourself it’s not simply dropping the number, try:

                http://hp.com:90194313659 (port 443)
                http://hp.com:90194313295 (port 79)

I’m not exactly sure what evil this can be used for. Certainly, you can create links on a site that only Firefox can follow (as Internet Explorer and others reject the port as invalid), and I’m willing to bet search engines and other HTML parsing programs will ignore it as well. What good will that do you? Who knows, but I’m sure someone more evil than me might figure something out.

The port wrapping bug was fixed in FF 3.07 on bug 473587.

The port name bug is still unfixed. I decided to publish this despite the fact that it's not patched because they have made the Bugzilla entry public, which means someone up to no good can see it as well. The information, if you like to take a stab at fixing it, is filed under bug 479485.

Labels: TCP Ports
Chris Sullo | ‎08-26-2009 07:19 PM

A fix has been checked into the FF source for the potential phishing threat, thanks to the work of Honza Bambas,  Boris Zbarsky and others.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.