[Alan Rouse <ARouse@n2bb.com>] > Without more details, it sounds to me as if an attacker would first have > to deploy her own code in the EJB server, before she could attack the > target user's objects. If the attacker has that capability, can't she > accomplish the same end with or without this vulnerability? > > Or is there a way to exploit this without the attacker having power to > deploy her own code? > The whole point of EJB application servers is to have pluggable applications that can be bought and deployed. This hole would allow my code from, say, an email component to grab objects used by the credit-card processing module. -- Ari Gordon-Schlosberg http://www.nebcorp.com/~regs/pgp for PGP public key
