Re: Security problem in SOAP::Lite

After reading The Docs and The Phrack article I'm unclear on what the real problem is. (NOTE: those two links are my only experience with SOAP, so forgive me if I say something naive).

Granted, SOAP::Lite lets you run a SOAP server in which any available method can be called remotely -- but that seems to be by design. If you don't want that behavior, you can use the dispatch_to method to restrict all incoming SOAP calls to a particular Module, method, or Module Directory to protect the server from attacks attempting to call methods outside of those Modules, methods or Module Directories.

Is the issue here that even with a conservative use of dispatch_to Servers can be compromised, or that naive SOAP::Lite users might leave themselves open without realizing it?

(Or is the issue that I'm missunderstanding the docs?)

Comment on Re: Security problem in SOAP::Lite Select or Download Code

Replies are listed 'Best First'.
Re: Re: Security problem in SOAP::Lite by IlyaM (Parson) on Apr 10, 2002 at 18:20 UTC
The problem is that while SOAP::Lite is designed to limit SOAP calls to particular packages it fails to do it properly. As result this restriction can be bypassed and any Perl subroutine in any package can be called. -- Ilya Martynov (http://martynov.org/)	[reply]