Re: J2EE EJB privacy leak and DOS.

From: Ari Gordon-Schlosberg (regsat_private)
Date: Tue Oct 15 2002 - 17:27:28 PDT

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:205-15] New kernel fixes local security issues"

Previous message: secureat_private: "[CLA-2002:532] Conectiva Linux Security Announcement - sendmail"
In reply to: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Next in thread: Sylvia Else: "RE: J2EE EJB privacy leak and DOS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Alan Rouse <ARouseat_private>]
> Without more details, it sounds to me as if an attacker would first have
> to deploy her own code in the EJB server, before she could attack the
> target user's objects.  If the attacker has that capability, can't she
> accomplish the same end with or without this vulnerability?
> 
> Or is there a way to exploit this without the attacker having power to
> deploy her own code?
> 

The whole point of EJB application servers is to have pluggable
applications that can be bought and deployed.  This hole would allow my
code from, say, an email component to grab objects used by the credit-card
processing module.

-- 
Ari Gordon-Schlosberg http://www.nebcorp.com/~regs/pgp for PGP public key

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:205-15] New kernel fixes local security issues"
Previous message: secureat_private: "[CLA-2002:532] Conectiva Linux Security Announcement - sendmail"
In reply to: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Next in thread: Sylvia Else: "RE: J2EE EJB privacy leak and DOS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 18:34:25 PDT