Bug 4768 - Vulnerability of IDE. http server allows access to local disk to any host.
Vulnerability of IDE. http server allows access to local disk to any host.
Status: CLOSED FIXED
Product: ide
Classification: Unclassified
Component: Internal Server
-FFJ-
All All
: P1 (vote)
: TBD
Assigned To: iformanek
issues@ide
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 1999-11-24 17:40 UTC by issues@www
Modified: 2005-03-09 04:28 UTC (History)
0 users

See Also:
Issue Type: DEFECT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description issues@www 1999-11-24 17:40:42 UTC
Vulnerable Application:
> Sun Microsystems NetBeans (recently renamed to Forte`) Java IDE
>
> Versions tested:
> Netbeans Developer 3.0 Beta

> Forte Community Edition 1.0 Beta
> unknown if earlier versions have vulnerability
>
> Platform tested:
> Windows NT 4.0
> unknown if other platforms have vulnerability
>
> Description:
> The IDE includes an internal HTTP server to try Java code.  The settings
> indicate that access must be explicitly granted on a per IP address bases.
> However, when service is enabled for one machine, the HTTP server allows
> remote access to root and all subdirectories from any machine.  NOTE, for
> the NetBeans 3.0 Beta version, this is the default activity.  Therefore, no
> action is required by the user for the vulnerability to exist.  Under the
> Forte` 1.0 Beta version, a user must enable at least one address in the
> HTTP server settings for the vulnerability to exist.  However, once a
> single IP address is entered, any machine can connect to the internal HTTP
> server port (default is 8082).  Even if all IP addresses are removed, the
> server continues to allow connections when the IDE is running.
>
> Example:
> While the IDE is running connecting with any browser to
> http://vvv.xxx.yyy.zzz:8082/..

> provides a listing of the root directory.
> Sub-directories can then be accessed.
>
> Solution (work around):
> 1) Set the HTTP Server "Enable" setting to False in Project settings.
> or
> 2) Remove the HTTP Server module in Global settings.
>
Comment 1 _ rkubacki 2001-04-19 12:55:39 UTC
Access restriction works in newer versions. Also default is grant access to
selected hosts not to any host.
Comment 2 Quality Engineering 2003-07-01 09:35:03 UTC
Resolved for 3.3.x or earlier, no new info since then -> closing.


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo