CVE-1999-1527
CVSS7.5
发布时间 :1999-11-23 00:00:00
修订时间 :2016-10-17 22:05:28
NMCOS    

[原文]Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server.


[CNNVD]Sun Java IDE Webserver IP 限制失败漏洞(CNNVD-199911-067)

        Netbeans Developer 3.0测试版和 Forte Community Edition 1.0测试版中Sun Netbeans Java IDE的Internal HTTP server存在漏洞。不能按照配置中说明的正确限制访问IP地址,任意远程攻击者可以借助此漏洞访问服务器。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sun:netbeans_developer:3.0_beta
cpe:/a:sun:forte:community_1.0_beta

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1527
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1527
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-067
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94338883114254&w=2
(UNKNOWN)  BUGTRAQ  19991123 NetBeans/ Forte' Java IDE HTTP vulnerability
http://www.securityfocus.com/bid/816
(VENDOR_ADVISORY)  BID  816

- 漏洞信息

Sun Java IDE Webserver IP 限制失败漏洞
高危 访问验证错误
1999-11-23 00:00:00 2006-04-21 00:00:00
远程  
        Netbeans Developer 3.0测试版和 Forte Community Edition 1.0测试版中Sun Netbeans Java IDE的Internal HTTP server存在漏洞。不能按照配置中说明的正确限制访问IP地址,任意远程攻击者可以借助此漏洞访问服务器。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息

115
Sun NetBeans Java IDE HTTP Server IP Restriction Bypass Arbitrary File/Directory Access

- 漏洞描述

- 时间线

1999-11-23 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Java IDE Webserver IP Restriction Failure Vulnerability
Access Validation Error 816
Yes No
1999-11-23 12:00:00 2009-07-11 12:56:00
Posted to bugtraq on November 23, 1999 by Halcyon Skinner <hskinner@jhsph.edu>.

- 受影响的程序版本

Sun Netbeans Developer 3.0 Beta For NT
- Microsoft Windows NT 4.0
Sun Forte Community Edition 1.0 Beta For NT
- Microsoft Windows NT 4.0

- 漏洞讨论

These Java development applications include an http server for testing purposes. The server can be configured to only respond to requests from certain IP addresses, however the mechanism fails and any requests received are serviced. The server will allow read access to any file on the filesystem that it haas access to, all the way up to the root directory. In the Netbeans product, this is the default 'out of the box' configuration. In the Forte product. IP addresses must be added manually to a list of permitted clients. Once a single IP address is added, any requests regardless of source are responded to.

- 漏洞利用

http ://victim.com:8082/

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站