[whatwg/fetch] Block more X11 ports? (#740)

https://fetch.spec.whatwg.org/commit-snapshots/78a8dcd9de92a34e1f16e9728784b77a033a654d/#port-blocking

> 6000 x11

It would be good to block more X11 ports. Apologies if this has been discussed before, I couldn't find any reference to it.

X11 Display :N uses port 6000 + N. It would be good to block all possible displays, but there appears to be no upper limit. The xvfb-run comment uses display :99, ie. port 6099..

A few additional complications:

1. On modern Unix systems, the X11 server doesn't listen to TCP/IP by default, so they are not vulnerable. I think Windows X servers still do.
2. I'm not sure if any X11 servers are actually exploitable to HTTP-based attacks (but I don't know that they aren't).
3. I have no statistics for how many people run X11 servers with a display number > 0.
4. Modern X11 servers only listen on localhost by default, so port scanning the Internet won't provide an answer to question 3.

Because there are almost certainly people running test servers on port 6080 and other ports in the range, the benefits of widening the blocking don't necessarily outweigh the costs, but I thought it was worth bringing up.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/740

Received on Monday, 28 May 2018 07:01:17 UTC