Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] Re: Preventing package name traversal attacks

Expand Messages
  • Ilya Martynov
    ... PK access till the end of this week. I wasn t aware about the PK possibility of using phrack s exploit in such way, yet it seems like PK it shouldn t
    Message 1 of 9 , Apr 10, 2002
    • 0 Attachment
      >>>>> On Tue, 9 Apr 2002 23:38:16 -0700 (PDT), Paul Kulchenko <paulclinger@...> said:

      PK> access till the end of this week. I wasn't aware about the
      PK> possibility of using phrack's exploit in such way, yet it seems like
      PK> it shouldn't work with -T option used on server side. Unfortunately
      PK> -T option doesn't stop you from using $object->$method() even if
      PK> $method string is tainted, which allows accessing already loaded
      PK> modules.

      Well, I've just sent you private email with modified exploit which
      does work even if -T option is used on server side.

      --
      Ilya Martynov (http://martynov.org/)
    • Robert Taylor
      Thanks, Paul and Ilya, for addressing this serious issue. ... This server side check works for me. __________________________________________________ Do You
      Message 2 of 9 , Apr 10, 2002
      • 0 Attachment
        Thanks, Paul and Ilya, for addressing this serious
        issue.

        --- Paul Kulchenko <paulclinger@...> wrote:
        > Hi, Ilya!
        > ...
        >
        > To disable it on server side you may use on_action
        > handler:
        >
        > ->on_action(sub { die "Access denied\n" if $_[2]
        > =~ /:|'/ })

        This server side check works for me.




        __________________________________________________
        Do You Yahoo!?
        Yahoo! Tax Center - online filing with TurboTax
        http://taxes.yahoo.com/
      • give_me_a_donut
        I have access to two versions of SOAP::Lite, one is 0.46 and one is 0.52. I have found 0.52 to be vulnerable to the phrack exploit, yet 0.46 seems to perform
        Message 3 of 9 , Apr 10, 2002
        • 0 Attachment
          I have access to two versions of SOAP::Lite, one is 0.46 and one is
          0.52. I have found 0.52 to be vulnerable to the phrack exploit, yet
          0.46 seems to perform some type of validation and hence is not
          affected by the exact problem. This is quite a good thing, as last
          time I checked ActiveState was still shipping 0.46 with their
          distribution and making no later version available via PPM.

          When I try the exploit on a SOAP::Lite 0.46 server, I recieve the
          following fault message in reply ( dumped via Data::Dumper's
          Dumper($response->fault) )

          'faultcode' => 'SOAP-ENV:Client',
          'detail' => 'SOAPAction shall match \'uri#method\' if present',
          'faultstring' => 'Bad SOAPAction',
          'faultactor' => 'http://hostname:port/'

          If anyone has further information on this, or has seen a working
          exploit on this version, please let me know.

          Regards,
          Michael
        Your message has been successfully submitted and would be delivered to recipients shortly.