Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: J2EE EJB privacy leak and DOS.
From: Rudolf Schreiner <ras () objectsecurity com>
Date: Tue, 15 Oct 2002 13:47:23 +0200 (CEST)

On Mon, 14 Oct 2002, Sylvia wrote:

The EJB security model associates roles with users, and controls their 
access to object methods based on those roles.

Yep.
 
Where the object is a stateful session object, any user can access it, 
provided they have the necessary roles. This is true even if the object was 
created by a different user. This means that information private to one 
user can be accessed by another. There is also a DOS available because any 
user can destroy the object.

That's a feature, not a bug. ;-)#

The EJB specification defines simple role based access control, as you
describe. There are no attributes like "owner of an object". The CORBA
security services 1.x have the same problem, just with rights instead of
roles. In both cases the enforcement of real world security policies is
very hard. In many cases you have to implement the policy enforcement in
your application, in contradiction to the declarative concept of EJB
security.

Since we are also not happy with EJB and CORBA Components security we are
currently trying to develop something more useful as part of an IST
research project. 
 
To access the object, a user's client needs to know the IOR. However, on 
the implementations I've tested, IORs are allocated in a trivial way that 
makes it simple to derive new valid IORs from an existing valid one.

An IOR is not supposed to protect an object. That's (pseudo) security by
obscurity. 
The problem is something different: Sometimes IORs contain sensitive
information in the ObjectId. Once I've even seen a credit card number in
an IOR.

Cheers,
Rudi
------------------------------------------------------------------------
Rudolf Schreiner, CTO, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS
Tel. +44 1223 420252, Fax. +44 1223 420844 
ras () objectsecurity com, www.objectsecurity.com
------------------------------------------------------------------------ 



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault