"This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available.. . .
"This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available.

In short, SOAP::Lite allows to call any Perl subroutine on side of SOAP::Lite based server. Strangely enough it has gone mostly unnoticed and it hasn't been fixed. I've tried to research it further and wrote a simple exploit which instantly gives remote shell access to computer which runs a SOAP::Lite based server. It took me less than two hours to write this exploit. So assuming that security hole in SOAP::Lite have been known for a very long time, there is no reason to think that nobody else (i.e. blackhats) haven't done it."

The link for this article located at use Perl [LWN] is no longer available.