Bugtraq mailing list archives

Re: J2EE EJB privacy leak and DOS.

From: Ari Gordon-Schlosberg <regs () nebcorp com>
Date: Tue, 15 Oct 2002 17:27:28 -0700

[Alan Rouse <ARouse () n2bb com>]

Without more details, it sounds to me as if an attacker would first have
to deploy her own code in the EJB server, before she could attack the
target user's objects.  If the attacker has that capability, can't she
accomplish the same end with or without this vulnerability?

Or is there a way to exploit this without the attacker having power to
deploy her own code?


The whole point of EJB application servers is to have pluggable
applications that can be bought and deployed.  This hole would allow my
code from, say, an email component to grab objects used by the credit-card
processing module.

-- 
Ari Gordon-Schlosberg http://www.nebcorp.com/~regs/pgp for PGP public key

Current thread:

J2EE EJB privacy leak and DOS. Sylvia (Oct 14)
- Re: J2EE EJB privacy leak and DOS. Rudolf Schreiner (Oct 15)
- <Possible follow-ups>
- RE: J2EE EJB privacy leak and DOS. Alan Rouse (Oct 15)
  - Re: J2EE EJB privacy leak and DOS. Ari Gordon-Schlosberg (Oct 16)
- RE: J2EE EJB privacy leak and DOS. Sylvia Else (Oct 18)