Bugtraq mailing list archives
RE: J2EE EJB privacy leak and DOS.
From: "Alan Rouse" <ARouse () n2bb com>
Date: Tue, 15 Oct 2002 11:36:45 -0400
Without more details, it sounds to me as if an attacker would first have to deploy her own code in the EJB server, before she could attack the target user's objects. If the attacker has that capability, can't she accomplish the same end with or without this vulnerability? Or is there a way to exploit this without the attacker having power to deploy her own code? -----Original Message----- From: Sylvia [mailto:sbt13 () cryogenic net] Sent: Monday, October 14, 2002 1:43 AM To: bugtraq () securityfocus com Subject: J2EE EJB privacy leak and DOS. Hi, I've contacted Sun twice about this, and they've not responded to me. The EJB security model associates roles with users, and controls their access to object methods based on those roles. Where the object is a stateful session object, any user can access it, provided they have the necessary roles. This is true even if the object was created by a different user. This means that information private to one user can be accessed by another. There is also a DOS available because any user can destroy the object. The EJB client is not meant to change its security association, but neither of the implementations I've tested enforce this. The EJB specification does not actually require the server to do so. To access the object, a user's client needs to know the IOR. However, on the implementations I've tested, IORs are allocated in a trivial way that makes it simple to derive new valid IORs from an existing valid one. Sylvia.
Current thread:
- J2EE EJB privacy leak and DOS. Sylvia (Oct 14)
- Re: J2EE EJB privacy leak and DOS. Rudolf Schreiner (Oct 15)
- <Possible follow-ups>
- RE: J2EE EJB privacy leak and DOS. Alan Rouse (Oct 15)
- Re: J2EE EJB privacy leak and DOS. Ari Gordon-Schlosberg (Oct 16)
- RE: J2EE EJB privacy leak and DOS. Sylvia Else (Oct 18)