Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Old SOAP::Lite exploit 3 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Against a server running SOAP::Lite 0.51 I get:

    Can't use an undefined value as an ARRAY reference at ./exploit.pl line 80.

    It doesn't seem to matter what I type at the prompt, that's all I get.

    -sam

    • Just tested it with 0.52 and it works. Sample server:

      #!/usr/bin/perl -w

      use SOAP::Transport::HTTP;

      my $daemon = SOAP::Transport::HTTP::Daemon
          -> new (LocalAddr => 'localhost', LocalPort => 8000, Reuse => 1)
          -> dispatch_to(Test);

      print "Contact to SOAP server at ", $daemon->url, "\n";
      $daemon->handle;

      package Test;

      sub hello {
          join ' ', '[', @_, ']', "\n";
      }

      I think I did test this exploit with 0.51 in the past and it worked. Or maybe my memory fails

      --

      Ilya Martynov (http://martynov.org/ [martynov.org])

  • Very interesting. It would appear that there was a warning about the use of autodispatch in earlier versions of SOAP::Lite, to quote:

    WARNING: autodispatch feature can have side effects for your application and can affect functionality of other modules/libraries because of overloading UNIVERSAL::AUTOLOAD. All unresolved calls will be dispatched as SOAP calls, however it could be not what you want in some cases. If so, consider using object interface (see implementation of OO interface).

    I just guess that n

Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.