This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Vulnerable Application: > Sun Microsystems NetBeans (recently renamed to Forte`) Java IDE > > Versions tested: > Netbeans Developer 3.0 Beta > Forte Community Edition 1.0 Beta > unknown if earlier versions have vulnerability > > Platform tested: > Windows NT 4.0 > unknown if other platforms have vulnerability > > Description: > The IDE includes an internal HTTP server to try Java code. The settings > indicate that access must be explicitly granted on a per IP address bases. > However, when service is enabled for one machine, the HTTP server allows > remote access to root and all subdirectories from any machine. NOTE, for > the NetBeans 3.0 Beta version, this is the default activity. Therefore, no > action is required by the user for the vulnerability to exist. Under the > Forte` 1.0 Beta version, a user must enable at least one address in the > HTTP server settings for the vulnerability to exist. However, once a > single IP address is entered, any machine can connect to the internal HTTP > server port (default is 8082). Even if all IP addresses are removed, the > server continues to allow connections when the IDE is running. > > Example: > While the IDE is running connecting with any browser to > http://vvv.xxx.yyy.zzz:8082/.. > provides a listing of the root directory. > Sub-directories can then be accessed. > > Solution (work around): > 1) Set the HTTP Server "Enable" setting to False in Project settings. > or > 2) Remove the HTTP Server module in Global settings. >
Access restriction works in newer versions. Also default is grant access to selected hosts not to any host.
Resolved for 3.3.x or earlier, no new info since then -> closing.