Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

geoff (2013)

geoff
  reversethis-{gro ... om} {ta} {ffoeg}
http://www.modperlcookbook.org/

see http://www.modperlcookbook.org/~geoff/ [modperlcookbook.org] for personal information, links to presentations, GPG key, and so on.

Journal of geoff (2013)

Tuesday April 09, 2002
07:44 AM

Is Apache::SOAP vunerable?

[ #4050 ]
I read the phrack article pointed to in Ilya's journal so I think I understand the issue with security in SOAP::Lite. I'd like to hear Paul's opinion on this, but I think that the SOAP::Lite server I use the most, Apache::SOAP, would seem to be somewhat protected from this behavior - the PerlSetVar dispatch_to would limit the namespaces that can be dispatched, thus keeping potential bad guys from making arbitrary method calls

for me, at least, without the exploit in hand it's hard to tell. guess I should read that article again today and check out the happenings on the soaplite list to see how things progress...
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • As I understand Perl and the Phrack article, Apache::SOAP (as you describe it; I haven't looked at the code yet) has the same vulnerability as SOAP::Lite. Originally, I thought about recommending people be extra pedantic in the method calls they accept, since that would not trigger the over-accepting behavior.

    That doesn't appear to be the case.

    When you send a fully qualified function name (e.g. POSIX::mktime) as your method name, the $obj->$method(@params) idiom will call POSIX::mktime instead of a