Bug 4768

Vulnerable Application:
> Sun Microsystems NetBeans (recently renamed to Forte`) Java IDE
>
> Versions tested:
> Netbeans Developer 3.0 Beta

> Forte Community Edition 1.0 Beta
> unknown if earlier versions have vulnerability
>
> Platform tested:
> Windows NT 4.0
> unknown if other platforms have vulnerability
>
> Description:
> The IDE includes an internal HTTP server to try Java code.  The settings
> indicate that access must be explicitly granted on a per IP address bases.
> However, when service is enabled for one machine, the HTTP server allows
> remote access to root and all subdirectories from any machine.  NOTE, for
> the NetBeans 3.0 Beta version, this is the default activity.  Therefore, no
> action is required by the user for the vulnerability to exist.  Under the
> Forte` 1.0 Beta version, a user must enable at least one address in the
> HTTP server settings for the vulnerability to exist.  However, once a
> single IP address is entered, any machine can connect to the internal HTTP
> server port (default is 8082).  Even if all IP addresses are removed, the
> server continues to allow connections when the IDE is running.
>
> Example:
> While the IDE is running connecting with any browser to
> http://vvv.xxx.yyy.zzz:8082/..

> provides a listing of the root directory.
> Sub-directories can then be accessed.
>
> Solution (work around):
> 1) Set the HTTP Server "Enable" setting to False in Project settings.
> or
> 2) Remove the HTTP Server module in Global settings.
>