Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of IlyaM (2933)

Saturday April 06, 2002
04:56 PM

SOAP::Lite *HUGE* security hole

[ #4012 ]
There was article in Phrack named 'RPC without borders' about quite serious security hole in SOAP::Lite module four months ago. Have it been fixed? Not yet.

What this article about? In short: you can call any Perl subroutine on side of SOAP::Lite based server. As proof I've wrote simple exploit which gives instant shell access on any box which runs SOAP::Lite based server.

Why such serious security hole haven't been fixed for so long time? I guess nobody bothered to send email to Paul Kulchenko (author of this module). So I've just sent him email about it (with my exploit attached).

In spirit of full disclosure I'm going to post that exploit on bugtraq in two weeks whenether this security hole fixed or not.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.