This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "J2EE Misconfiguration: Weak Access Permissions"

From OWASP
Jump to: navigation, search
m (Reverted edits by SitleTorac (Talk) to last version by KirstenS)
 
Line 1: Line 1:
[http://s1.shard.jp/losaul/this-day-in-australian.html australian name puppy shepherd
 
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/frhorton/rykfyeh82.html blank map of asia africa europe] [http://s1.shard.jp/olharder/kragen-auto.html auto restorer mag
 
] [http://s1.shard.jp/bireba/notron-antivirus.html clam antivirus for linux
 
] [http://s1.shard.jp/bireba/kaspersky-antivirus.html avg antivirus key generator
 
] [http://s1.shard.jp/galeach/ hariprasad chourasia
 
] [http://s1.shard.jp/bireba/windows-xp-antivirus.html etrust antivirus free downloads
 
] [http://s1.shard.jp/frhorton/wntjtqor2.html cape verde africa property
 
] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia
 
] [http://s1.shard.jp/bireba/computer-antivirus.html antivirus software for server 2003
 
] [http://s1.shard.jp/olharder/gxautos.html automotive coolant types
 
] [http://s1.shard.jp/bireba/download-free.html download free norton antivirus trial] [http://s1.shard.jp/olharder/canadian-auto.html autosurf forums
 
] [http://s1.shard.jp/losaul/scoutsaustralia.html surf shirts australia
 
] [http://s1.shard.jp/losaul/cheap-air-fare-to.html police credit union australia
 
] [http://s1.shard.jp/olharder/autopilots-for.html autopilots for sale] [http://s1.shard.jp/frhorton/3o7l9jema.html hip hop in africa] [http://s1.shard.jp/losaul/property-for.html property for sale in perth australia] [http://s1.shard.jp/losaul/australia-immigration.html gridiron australia
 
] [http://s1.shard.jp/bireba/panda-software.html before symantec antivirus could be completely installed
 
] [http://s1.shard.jp/losaul/australia-stables.html virgin blue australia home
 
] [http://s1.shard.jp/galeach/new109.html attractive asians
 
] [http://s1.shard.jp/bireba/antivirus-firewall.html avg free antivirus download
 
] [http://s1.shard.jp/bireba/macintosh-antivirus.html antivirusdisable notify
 
] [http://s1.shard.jp/losaul/planting-guide.html alcoholism australia
 
] [http://s1.shard.jp/frhorton/928f3x2wr.html african country founded by former american slaves
 
] [http://s1.shard.jp/frhorton/eustnj89y.html african braid picture
 
] [http://s1.shard.jp/losaul/australian-hotel.html australian hotel rocks] [http://s1.shard.jp/frhorton/1oj3zcvfn.html actuarial society of south africa
 
] [http://s1.shard.jp/losaul/australia-food-product.html irish consulate sydney australia
 
] [http://s1.shard.jp/galeach/new24.html eaton vance asian small companies
 
] [http://s1.shard.jp/losaul/used-car-price.html used car price australia] [http://s1.shard.jp/galeach/new137.html asian call centers
 
] [http://s1.shard.jp/olharder/alberta-auto.html alberta auto rv trader] [http://s1.shard.jp/losaul/australia-telescope.html autolive australia
 
] [http://s1.shard.jp/olharder/auto-copart-sale.html in house financing auto
 
] [http://s1.shard.jp/galeach/new64.html enamel hypoplasia bell stage
 
] [http://s1.shard.jp/frhorton/hpi2k8yhb.html african rain forest information
 
] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns
 
] [http://s1.shard.jp/losaul/travel-shows-in.html outboard motors australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/bireba/review-antivirus.html norton antivirus download free trial
 
] [http://s1.shard.jp/losaul/stihl-australia.html australia serzone
 
] [http://s1.shard.jp/bireba/dod-cert-antivirus.html os x antivirus free
 
] [http://s1.shard.jp/losaul/ australian teen magazines
 
 
http://www.textgetboc.com
 
 
{{template:CandidateForDeletion}}
 
{{template:CandidateForDeletion}}
  

Latest revision as of 19:55, 26 May 2009

Template:CandidateForDeletion 

#REDIRECT Least Privilege Violation


Last revision (mm/dd/yy): 05/26/2009


Description

Permission to invoke EJB methods should not be granted to the ANYONE role.

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.


Risk Factors

  • Talk about the factors that make this vulnerability likely or unlikely to actually happen
  • Discuss the technical impact of a successful exploit of this vulnerability
  • Consider the likely [business impacts] of a successful attack


Examples

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary(). 

	<ejb-jar>
		...
		<assembly-descriptor>
			<method-permission>
				<role-name>ANYONE</role-name>
				<method>
					<ejb-name>Employee</ejb-name>
					<method-name>getSalary</method-name>
			</method-permission>
		</assembly-descriptor>
		...
	</ejb-jar>


Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD



Retrieved from "https://wiki.owasp.org/index.php?title=J2EE_Misconfiguration:_Weak_Access_Permissions&oldid=62066"