1394Re: Preventing package name traversal attacks
- Apr 9, 2002
>>>>> On Tue, 09 Apr 2002 17:24:48 -0000, "theonetowhommyrefers" <theonetowhommyrefers@y..> said:T> There is an article at Use::Perl which discusses a serious security
T> hole in SOAP::Lite -
T> This article is based on another article at Phrack:
>> From what I can tell the security hole is that autodispatch allowsT> direct access to fully qualified package names and thus arbitrary
T> commands can be executed on the remote machine.
T> How can we stop such attacks?
I've sent Paul private email with source code of exploit I've wrote
but I haven't got any response yet.
For now you may try to use this patch (diff against latest
SOAP::Lite). It is 'unofficial', I haven't tested it too much but it
does seem to protect against attacks which use fully qualified package
names. It least it seems to stop my exploit.
Of course there is NO WARRANTY that it does fix a problem or that it
doesn't cause any damage.
--- /home/ilya/tmp/Lite.pm Tue Apr 9 21:27:07 2002
+++ /usr/share/perl5/SOAP/Lite.pm Tue Apr 9 21:40:10 2002
@@ -2068,6 +2068,11 @@
($method_uri, $method_name) = ($request->namespaceuriof || '', $request->dataof->name)
+ # don't allow method names which contain package names
+ # i.e package::method or package'method (old deprecated syntax)
+ die "Denied access to method ($method_name)"
+ if $method_name =~ /[:']/;
$self->on_action->(my $action = $self->action, $method_uri, $method_name);
Ilya Martynov (http://martynov.org/)
- << Previous post in topic Next post in topic >>