J2EE EJB privacy leak and DOS.

From: Sylvia (sbt13at_private)
Date: Sun Oct 13 2002 - 22:42:53 PDT

Next message: pyramid-rpat_private: "Pyramid Research Project - atphttpd security advisorie"

Previous message: pyramid-rpat_private: "Pyramid Research Project - ghttpd security advisorie"
Next in thread: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Reply: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Reply: Sylvia Else: "RE: J2EE EJB privacy leak and DOS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I've contacted Sun twice about this, and they've not responded to me.

The EJB security model associates roles with users, and controls their 
access to object methods based on those roles.

Where the object is a stateful session object, any user can access it, 
provided they have the necessary roles. This is true even if the object was 
created by a different user. This means that information private to one 
user can be accessed by another. There is also a DOS available because any 
user can destroy the object.

The EJB client is not meant to change its security association, but neither 
of the implementations I've tested enforce this. The EJB specification does 
not actually require the server to do so.

To access the object, a user's client needs to know the IOR. However, on 
the implementations I've tested, IORs are allocated in a trivial way that 
makes it simple to derive new valid IORs from an existing valid one.

Sylvia.

Next message: pyramid-rpat_private: "Pyramid Research Project - atphttpd security advisorie"
Previous message: pyramid-rpat_private: "Pyramid Research Project - ghttpd security advisorie"
Next in thread: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Reply: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Reply: Sylvia Else: "RE: J2EE EJB privacy leak and DOS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 17:14:08 PDT