SOAP security hole [was: Re: Squeak map colours]
Ramon Leon
ramonleon at cox.net
Tue Sep 26 06:45:09 UTC 2006
> The second is that it uses #readFrom: of Object which just evaluates
> the contents of the stream and checks if the result is a boolean.
>
> Impact:
> Any host that can send a SOAP message to a Squeak sever or client can
> execute arbitrary Smalltalk code in that image.
>
Ouch, guess I won't be hosting any web services in Squeak. None of this
affects me though, since I'm only using it as a SoapClient, and I
control the server side services, so I trust them. But thanks for the
warning, guess I'll continue using .Net for writing all my Services and
Squeak for the web GUI against those services.
More information about the Squeak-dev
mailing list
|