Tuesday, April 9, 2002

SOAP::Lite Vulnerability Issue I don't have time to check this exploit, but if the issue described below is verified, Perl web services are in a world of hurt : IlyaM writes "About four months ago there was Phrack article named RPC without borders which describes quite serious security hole in SOAP::Lite module. In short, SOAP::Lite allows to call any Perl subroutine on side of SOAP::Lite based server. Strangely enough it has gone mostly unnoticed and it hasn't been fixed. I've tried to research it further and wrote a simple exploit which instantly gives remote shell access to computer which runs a SOAP::Lite based server. It took me less than two hours to write this exploit. So assuming that security hole in SOAP::Lite have been known for a very long time, there is no reason to think that nobody else (i.e. blackhats) haven't done it." This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available. [use Perl] I'm afraid the author is right, I do hope an update is under way. More on this later... 1:00:50 PM    comments:   Google It!

last updated: 10/21/02; 12:44:12 AM.

Currently subscribed to:

  Curiouser and curiouser!

  Don W Strickland: RadioFAQ

  John Robb's Radio Weblog

  Jon's Radio

  klogs

  Linux Magazine

  Mac Net Journal

  Matt Mower: liveTopics

  New York Times: International

  O'Reilly Network Articles

  O'Reilly Safari

  Paolo Valdemarin: Paolo's Weblog

  Radio Free Blogistan

  radio-dev

  Radio.root Updates

  Sam Ruby

  Scripting News

  Simon Fell

  Slashdot

  The FuzzyBlog!

  TidBITS

  toolbox

Here's how this works.