security
SITE SECURITY ISSUES



Subscribe to "security" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

© copyright 2002
by Marc Barrot.

Permalink
Tuesday, April 9, 2002

SOAP::Lite Vulnerability Issue

I don't have time to check this exploit, but if the issue described below is verified, Perl web services are in a world of hurt :

IlyaM writes "About four months ago there was Phrack article named RPC without borders which describes quite serious security hole in SOAP::Lite module. In short, SOAP::Lite allows to call any Perl subroutine on side of SOAP::Lite based server. Strangely enough it has gone mostly unnoticed and it hasn't been fixed. I've tried to research it further and wrote a simple exploit which instantly gives remote shell access to computer which runs a SOAP::Lite based server. It took me less than two hours to write this exploit. So assuming that security hole in SOAP::Lite have been known for a very long time, there is no reason to think that nobody else (i.e. blackhats) haven't done it."

This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available. [use Perl]

I'm afraid the author is right, I do hope an update is under way. More on this later...

1:00:50 PM  Permalink  comments:   Google It!  


April 2002
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Mar   Jun

last updated: 10/21/02; 12:45:17 AM.