I read the phrack article pointed to in Ilya's journal so I think I understand the issue with security in SOAP::Lite. I'd like to hear Paul's opinion on this, but I think that the SOAP::Lite server I use the most, Apache::SOAP, would seem to be somewhat protected from this behavior - the PerlSetVar dispatch_to would limit the namespaces that can be dispatched, thus keeping potential bad guys from making arbitrary method calls
for me, at least, without the exploit in hand it's hard to tell. guess I should read that article again today and check out the happenings on the soaplite list to see how things progress...
That doesn't appear to be the case.
When you send a fully qualified function name (e.g. POSIX::mktime) as your method name, the $obj->$method(@params) idiom will call POSIX::mktime instead of a method in $object's package. That's the nature of the problem with dispatch_to in SOAP::Lite, and Apache::SOAP seems to make that same behavior available in a different form.
See rjray's comment about it. He's on the right track (and designed RPC::XML appopriately).
