Bugtraq mailing list archives
Re: J2EE EJB privacy leak and DOS.
From: Ari Gordon-Schlosberg <regs () nebcorp com>
Date: Tue, 15 Oct 2002 17:27:28 -0700
[Alan Rouse <ARouse () n2bb com>]
Without more details, it sounds to me as if an attacker would first have to deploy her own code in the EJB server, before she could attack the target user's objects. If the attacker has that capability, can't she accomplish the same end with or without this vulnerability? Or is there a way to exploit this without the attacker having power to deploy her own code?
The whole point of EJB application servers is to have pluggable applications that can be bought and deployed. This hole would allow my code from, say, an email component to grab objects used by the credit-card processing module. -- Ari Gordon-Schlosberg http://www.nebcorp.com/~regs/pgp for PGP public key
Current thread:
- J2EE EJB privacy leak and DOS. Sylvia (Oct 14)
- Re: J2EE EJB privacy leak and DOS. Rudolf Schreiner (Oct 15)
- <Possible follow-ups>
- RE: J2EE EJB privacy leak and DOS. Alan Rouse (Oct 15)
- Re: J2EE EJB privacy leak and DOS. Ari Gordon-Schlosberg (Oct 16)
- RE: J2EE EJB privacy leak and DOS. Sylvia Else (Oct 18)