Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1100 to
the following vulnerability:
Integer overflow in Arora allows remote attackers to bypass
intended port restrictions on outbound TCP connections via
a port number outside the range of the unsigned short data
type, as demonstrated by a value of 65561 for TCP port 25.
This issue is NOT reproducible with QtWebKit as found in latest Fedora updates (Qt 4.6.2).
There's a check in QUrl code.
Arora output while trying to connect to http://localhost:65561/
QUrl::setPort: Out of range
Other WebKit implementations could be still vulnerable.
webkitgtk-220.127.116.11-1.fc12 with midori gives:
(midori:17258): libsoup-CRITICAL **: soup_address_new: assertion `SOUP_ADDRESS_PORT_IS_VALID (port)' failed
(midori:17258): libsoup-CRITICAL **: soup_socket_connect_async: assertion `priv->remote_addr != NULL' failed
where soup defines:
#define SOUP_ADDRESS_PORT_IS_VALID(port) (port >= 0 && port <= 65535)
Konqueror (KHTML based) is not vulnerable to port overflow but does not check port 25 at all.
I'm closing this. The summary of findings:
- arora using QTWebKit - Port number integer overflow is caught as mentioned in comment #2. However, arora/QTWebKit does not use port blacklisting.
- webkitgtk - Port number integer overflow is caught by libsoup network backend (see comment #3). Port 25 itself is blocked.
- konqueror/khtml - Port number integer overflow is caught, default of 80 is used when out-of-range number is specified. As with arora/QTWebKit, there's no port blacklising in use at all.