We generally assume proper TCP port validation restricts them from 1 to 65535 (except in some offbeat cases). With some applications and operating systems, a name can be used to represent a port. For example, on a *nix system, telnet can connect to port 21 with the command “telnet localhost ftp” by looking up “ftp” in /etc/services.

Web browsers typically only handle numbers, and don’t do the name translation. So, typing in an alpha string for a port number should generate an error…right? Not necessarily.

It turns out that in Firefox (up to 3.5), if you provide a string as port number it is simply ignored. This makes some amount of sense—it’s not a number, so discard it. However, if history has taught us anything, even the slightest deception will be abused by the phishing crowd. Consider the following URL:

               http://secure.login.server.at:example.com/

It’s fairly easy to miss that it’s not “secure.login.server.at.hp.com” but rather “secure.login.server.at” with a port number of “example.com.” Someone causally checking out their links might miss that one. In this case, the alpha string should not just be ignored, but an error presented to the user.

Phishing threat aside, there was also another odd bug in Firefox’s port number handling: very large numbers wrap around a buffer, such that you can work your way right back to the standard range by simply incrementing the number properly. The following, obviously invalid port, actually works in Firefox (below 3.07):

                http://hp.com:90194313296/

And it takes you to port 80 on hp.com. To convince yourself it’s not simply dropping the number, try:

                http://hp.com:90194313659 (port 443)
                http://hp.com:90194313295 (port 79)

I’m not exactly sure what evil this can be used for. Certainly, you can create links on a site that only Firefox can follow (as Internet Explorer and others reject the port as invalid), and I’m willing to bet search engines and other HTML parsing programs will ignore it as well. What good will that do you? Who knows, but I’m sure someone more evil than me might figure something out.

The port wrapping bug was fixed in FF 3.07 on bug 473587.

The port name bug is still unfixed. I decided to publish this despite the fact that it's not patched because they have made the Bugzilla entry public, which means someone up to no good can see it as well. The information, if you like to take a stab at fixing it, is filed under bug 479485.