General EJB security question

ericl Dec 3, 2004 1:03 AM

Hi,

I've been mulling over the following security hole in EJBs. Please tell me I am missing something, as this seems like an enormous, systemic problem.

Let's say my bean has a method that takes as an argument some non-final object, and calls a non-final method of that Object, like so:

public void helloWorld (Object o)
{
 System.out.println ("what could go wrong? " + o.toString ());
}

Totally harmless, right? But wait, can't any hacker call helloWorld and pass in his own, hacked subclass of Object, like:

public class Hacker extends Object
{
 public String toString ()
 {
 // access the database
 // delete everything.
 // generally screw everything up
 return "you have been own3d. sucker.";
 }
}

It seems to me that every EJB installation in the world that allows access to untrusted clients must be vulnerable to this attack, unless they have taken the highly unlikely step of making all their objects and methods final. What am I missing?

Thanks,
Eric

1. Re: General EJB security question

frito Dec 3, 2004 8:41 AM (in response to ericl)

The server would throw a NoClassDefFound for "Hacker" when unmarshalling the parameter which IS an instance of Hacker ;-)
Actions