Hi, Ilya!

Yes, this patch may work and thanks for bringing this up.

> I've sent Paul private email with source code of exploit I've wrote
> but I haven't got any response yet.
I'm offline since Saturday and will have only occasional online
access till the end of this week. I wasn't aware about the
possibility of using phrack's exploit in such way, yet it seems like
it shouldn't work with -T option used on server side. Unfortunately
-T option doesn't stop you from using $object->$method() even if
$method string is tainted, which allows accessing already loaded
modules.

To disable it on server side you may use on_action handler:

->on_action(sub { die "Access denied\n" if $_[2] =~ /:|'/ })

There is also patch that adds checking of method name against methods
and classes allowed in dispatch_to(). Will go into the next release.
Sorry for the inconvenience.

Best wishes, Paul.

--- Ilya Martynov <ilya@...> wrote:
> >>>>> On Tue, 09 Apr 2002 17:24:48 -0000, "theonetowhommyrefers"
> <theonetowhommyrefers@y..> said:
>
> T> There is an article at Use::Perl which discusses a serious
> security
> T> hole in SOAP::Lite -
> T> http://use.perl.org/articles/02/04/09/000212.shtml?tid=5
>
> T> This article is based on another article at Phrack:
> T> http://www.phrack.com/show.php?p=58&a=9
>
> >> From what I can tell the security hole is that autodispatch
> allows
> T> direct access to fully qualified package names and thus
> arbitrary
> T> commands can be executed on the remote machine.
>
> T> How can we stop such attacks?
>
> I've sent Paul private email with source code of exploit I've wrote
> but I haven't got any response yet.
>
> For now you may try to use this patch (diff against latest
> SOAP::Lite). It is 'unofficial', I haven't tested it too much but
> it
> does seem to protect against attacks which use fully qualified
> package
> names. It least it seems to stop my exploit.
>
> Of course there is NO WARRANTY that it does fix a problem or that
> it
> doesn't cause any damage.
>
> --- /home/ilya/tmp/Lite.pm Tue Apr 9 21:27:07 2002
> +++ /usr/share/perl5/SOAP/Lite.pm Tue Apr 9 21:40:10 2002
> @@ -2068,6 +2068,11 @@
> ($method_uri, $method_name) = ($request->namespaceuriof || '',
> $request->dataof->name)
> unless $method_name;
>
> + # don't allow method names which contain package names
> + # i.e package::method or package'method (old deprecated syntax)
> + die "Denied access to method ($method_name)"
> + if $method_name =~ /[:']/;
> +
> $self->on_action->(my $action = $self->action, $method_uri,
> $method_name);
>
> my($class, $static);
>
>
> --
> Ilya Martynov (http://martynov.org/)
>
> ------------------------ Yahoo! Groups Sponsor
>
> To unsubscribe from this group, send an email to:
> soaplite-unsubscribe@yahoogroups.com
>
>
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/