© copyright 2002 by Marc Barrot.
|
|
|
|
|
Tuesday, April 9, 2002 |
SOAP::Lite Vulnerability Issue
I don't have time to check this exploit, but if the issue described below is verified, Perl web services are in a world of hurt :
IlyaM writes "About four months ago there was Phrack article named RPC without borders which describes quite serious security hole in SOAP::Lite module. In short, SOAP::Lite allows to call any Perl subroutine on side of SOAP::Lite based server. Strangely enough it has gone mostly unnoticed and it hasn't been fixed. I've tried to research it further and wrote a simple exploit which instantly gives remote shell access to computer which runs a SOAP::Lite based server. It took me less than two hours to write this exploit. So assuming that security hole in SOAP::Lite have been known for a very long time, there is no reason to think that nobody else (i.e. blackhats) haven't done it."
This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available. [use Perl]
I'm afraid the author is right, I do hope an update is under way. More on this later...
1:00:50 PM Google It!
|
|
|
|
April 2002 |
Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
|
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
|
|
|
|
Mar Jun |
last updated: 10/21/02; 12:44:12 AM.
Currently subscribed to: Here's how this works.
|