SOAP frustrations
Dave Kuhlman
dkuhlman at rexx.com
Fri Oct 18 17:07:12 EDT 2002
Nicolas Chauvat wrote:
>> Yes. It *is* a security issue. By misusing port 80 for remote procedure
>> ... ^^^^^^^^
>> change the policy. Screwing around with port 80 is going to cause a lot
>> of ill-will. The first time a SOAP request comes through that runs some
>> random bit of code that causes some damage, you can fully expect to be
>> hung out to dry for it.
>>
>> Organizations have security policies for a reason. Hacking around them
>> will *never* end well.
>
> [applause]
I been waiting for someone else to ask this question so that I would not
have to show my ignorance. No such luck.
What about CGI? Uses port 80. Can run "random" bits of code. Powerful
enough to destroy servers with a single script. How is CGI any less of a
security threat? It doesn't take much of a wizard to write a Perl or
Python CGI script that trashes a system, or ruins a database, or ... Isn't
SOAP just another way of invoking a script. And, ditto for XML-RPC. With
SOAP (and XML-RPC) I put some request information in the body of the
request that I would have tacked onto the URL in CGI. How does that make
CGI any less dangerous.
Basically, hire any computer science student as an intern to come in and
write either CGI scripts or SOAP Web service scripts and you are asking for
"excitement".
And, isn't the point that any of these (CGI, SOAP, XML-RPC) are no more
dangerous than the scripts on the back-end that implement them, which puts
control on the back-end where we want it.
- Dave
[snip]
--
Dave Kuhlman
dkuhlman at rexx.com
http://www.rexx.com/~dkuhlman
More information about the Python-list
mailing list