IlyaM contributed a story to use Perl; noting that a potential security problem with the SOAP::Lite module has been known for a while, but apparently hasn't been fixed. I haven't done much with the module, but the problem appears to be real, and a big one, so I'm posting this because I think it deserves wider distribution. If you use SOAP::Lite, I urge you to follow the discussion.

P.S.
Don't upvote this, upvote IlyaM.

Replies are listed 'Best First'.
Re: Security problem in SOAP::Lite
by rjray (Chaplain) on Apr 09, 2002 at 07:27 UTC

    This also includes XMLRPC::Lite, unfortunately. And I believe that the way in which the Frontier::RPC2 module handles marshalling on the server side is roughly the same, making it vulnerable as well.

    I believe that the server classes of my RPC::XML package are safe, as I don't open up things by package name-space, routines have to be explicitly "added" to a server object before it will serve requests to them. But I can't be 100% certain, of course, and will be checking and testing over the next few days.

    --rjray

    UPDATE: I was wrong about Frontier, it seems. I thought I had seen a syntax in either an example or somewhere else, in which it just gave a namespace to specify a group of available RPC routines. But I can't find that, now. I may well have just hallucinated the whole episode.

[reply]
      Frontier::RPC2 is not vulnerable as the server must be initialised with named functions/subrefs: 
      # from perldoc Frontier::Daemon
SYNOPSIS
    
    use Frontier::Daemon;
    
    Frontier::Daemon->new(methods => {
        'rpcName' => \&sub_name,
           ...
        });

      [download]
      which are executed after the following check: 
      # from Frontier::RPC2
my $method = $call->{'method_name'};
if (!defined $methods->{$method}) {
    return $self->encode_fault(3, "no such method \`$method'\n");
}

      [download]
         larryk                                          
perl -le "s,,reverse killer,e,y,rifle,lycra,,print"
[reply]
[d/l]
[select]
Re: Security problem in SOAP::Lite
by belg4mit (Prior) on Apr 09, 2002 at 04:05 UTC
    I am surprised people are surprised by this. It really is very old news. Unfortunately I cannot remember where I came across it. I thought it was on /. but their article was only a few weeks ago (mid March).

    PS> Come to think of it it may have been because I was visting phrack back when I started here to read up on poison-null. Didn't know I was supposed to call in a 4-alarm fire.

    --
    perl -pe "s/\b;([mnst])/'\1/mg"

[reply]
[reply]
Re: Security problem in SOAP::Lite
by hossman (Prior) on Apr 09, 2002 at 20:42 UTC
    After reading The Docs and The Phrack article I'm unclear on what the real problem is. (NOTE: those two links are my only experience with SOAP, so forgive me if I say something naive).

    Granted, SOAP::Lite lets you run a SOAP server in which any available method can be called remotely -- but that seems to be by design. If you don't want that behavior, you can use the dispatch_to method to restrict all incoming SOAP calls to a particular Module, method, or Module Directory to protect the server from attacks attempting to call methods outside of those Modules, methods or Module Directories.

    Is the issue here that even with a conservative use of dispatch_to Servers can be compromised, or that naive SOAP::Lite users might leave themselves open without realizing it?

    (Or is the issue that I'm missunderstanding the docs?)

[reply]
[d/l]
[select]
      The problem is that while SOAP::Lite is designed to limit SOAP calls to particular packages it fails to do it properly. As result this restriction can be bypassed and any Perl subroutine in any package can be called.

      --
      Ilya Martynov (http://martynov.org/)

[reply]
Re: Security problem in SOAP::Lite (PATCH)
by grep (Monsignor) on Apr 15, 2002 at 08:28 UTC
[reply]

Back to Meditations