Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Careful!

by Dragonfly (Priest)
on Apr 12, 2002 at 18:56 UTC ( [id://158645]=note: print w/replies, xml ) Need Help??


in reply to Google - tastic!

Although I think it's terrific that Google is opening up their API's, we shouldn't forget the recent security problems with SOAP::Lite.

I'm not saying this should stop you from going ahead and tinkering with this stuff (I'm sure going to ;-) ... just be careful out there. It seems that it is fairly easy to abuse servers running the SOAP::Lite module, to the point where I heard somebody claim they wrote a script that gave them root access in under two hours. (They also claimed to be somewhat inexpert with Perl, amusingly enough.)

I'd wait before deploying this on a production box. Anyway, I've gotta get back to this PHP project, see ya around!

Replies are listed 'Best First'.
Re: Careful!
by redsquirrel (Hermit) on Apr 12, 2002 at 19:24 UTC
    ...we shouldn't forget the recent security problems with SOAP::Lite.
    The security problems only effect SOAP servers, not SOAP clients. There is no known security risk in developing clients with SOAP::Lite.

    --Dave

Re: Careful!
by IlyaM (Parson) on Apr 13, 2002 at 01:48 UTC
    I heard somebody claim they wrote a script that gave them root access in under two hours. (They also claimed to be somewhat inexpert with Perl, amusingly enough.)

    Hmm, are you talking about me? Nobody claimed that exploit can give root access. Exploit gives shell access under same UID as SOAP::Lite server runs. Unless server runs under root (very bad idea) exploit cannot give root acccess. And I've never claimed that I'm inexpert in Perl :)

    And anyway redsquirrel is right: exploit is for SOAP::Lite servers, but not for clients.

    --
    Ilya Martynov (http://martynov.org/)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://158645]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (3)
As of 2024-03-29 07:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found