mailing list archives
Re: J2EE EJB privacy leak and DOS.
From: Ari Gordon-Schlosberg <regs () nebcorp com>
Date: Tue, 15 Oct 2002 17:27:28 -0700
[Alan Rouse <ARouse () n2bb com>]
Without more details, it sounds to me as if an attacker would first have
to deploy her own code in the EJB server, before she could attack the
target user's objects. If the attacker has that capability, can't she
accomplish the same end with or without this vulnerability?
Or is there a way to exploit this without the attacker having power to
deploy her own code?
The whole point of EJB application servers is to have pluggable
applications that can be bought and deployed. This hole would allow my
code from, say, an email component to grab objects used by the credit-card
Ari Gordon-Schlosberg http://www.nebcorp.com/~regs/pgp for PGP public key