Michael G Schwern wrote:
>
> On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote:
> > There's already a %dispatch set up for you by perl...
>
> I'd have used it but it just fell into the gaping security hole.
>
> A recent Phrack article pointed out that one of the SOAP/RPC/XML
> modules was doing this:
>
> $soap->$tainted_method_name(@args);
>
> where $tainted_method_name was derived from the Outside World.
> Because it wasn't doing any checking one could remotely pass in
> something like:
>
> I::want::you::to::call::this::method::instead
>
> and it would. Because the method name is absolute it would work. As
> long as the method in question doesn't look at it's arguments (as
> below) it will run fine. It just so happens that there was a method
> which granted authorization which didn't use it's arguments. Ergo,
> security hole.
Notice that the regex match (which should have been /\[([A-Z]+)\]/ )
effectively untaints and closes the security hole by disallowing
anything through that is not [A-Z]+
>
> Yes, there are plans to make symbolic refs and dynamic method calls
> taint check in 5.8.1.
>
> > while( $vData =~ ) {
> > my $vSub = ucfirst lc $1;
> > main->$vSub();
> ^^^^^^^^^^^^^^
>
> that's a method call which will cause problems if the subroutine looks
> at it's arguments. It'll see "main" as the first one.
>
> no strict 'refs';
> &$vSub;
>
> instead.
>
> > }
The original did not appear to use arguments. If it actually was, then
there would be a problem.
--
Rick Klement
