Loading ...
Sorry, an error occurred while loading the content.

1394Re: Preventing package name traversal attacks

Expand Messages
  • Ilya Martynov
    Apr 9, 2002
      >>>>> On Tue, 09 Apr 2002 17:24:48 -0000, "theonetowhommyrefers" <theonetowhommyrefers@y..> said:

      T> There is an article at Use::Perl which discusses a serious security
      T> hole in SOAP::Lite -
      T> http://use.perl.org/articles/02/04/09/000212.shtml?tid=5

      T> This article is based on another article at Phrack:
      T> http://www.phrack.com/show.php?p=58&a=9

      >> From what I can tell the security hole is that autodispatch allows
      T> direct access to fully qualified package names and thus arbitrary
      T> commands can be executed on the remote machine.

      T> How can we stop such attacks?

      I've sent Paul private email with source code of exploit I've wrote
      but I haven't got any response yet.

      For now you may try to use this patch (diff against latest
      SOAP::Lite). It is 'unofficial', I haven't tested it too much but it
      does seem to protect against attacks which use fully qualified package
      names. It least it seems to stop my exploit.

      Of course there is NO WARRANTY that it does fix a problem or that it
      doesn't cause any damage.

      --- /home/ilya/tmp/Lite.pm Tue Apr 9 21:27:07 2002
      +++ /usr/share/perl5/SOAP/Lite.pm Tue Apr 9 21:40:10 2002
      @@ -2068,6 +2068,11 @@
      ($method_uri, $method_name) = ($request->namespaceuriof || '', $request->dataof->name)
      unless $method_name;

      + # don't allow method names which contain package names
      + # i.e package::method or package'method (old deprecated syntax)
      + die "Denied access to method ($method_name)"
      + if $method_name =~ /[:']/;
      $self->on_action->(my $action = $self->action, $method_uri, $method_name);

      my($class, $static);

      Ilya Martynov (http://martynov.org/)
    • Show all 9 messages in this topic