From owner-freebsd-security@FreeBSD.ORG  Mon Oct 11 00:57:41 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8137416A4CE
	for <freebsd-security@freebsd.org>;
	Mon, 11 Oct 2004 00:57:41 +0000 (GMT)
Received: from ephraim.got-servers.net (ephraim.got-servers.net
	[67.19.208.66])	by mx1.FreeBSD.org (Postfix) with ESMTP id 5617543D49
	for <freebsd-security@freebsd.org>;
	Mon, 11 Oct 2004 00:57:41 +0000 (GMT)
	(envelope-from securitylist@sharp-ideas.net)
Received: from pool-70-18-226-160.res.east.verizon.net ([70.18.226.160]
	helo=[192.168.2.78])
	by ephraim.got-servers.net with esmtpa (Exim 4.43)
	id 1CGoVJ-0004IF-LK
	for freebsd-security@freebsd.org; Sun, 10 Oct 2004 20:57:33 -0400
Message-ID: <4169DA8C.3000304@sharp-ideas.net>
Date: Sun, 10 Oct 2004 20:57:48 -0400
From: Abe Usher <securitylist@sharp-ideas.net>
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-PopBeforeSMTPSenders: abe.usher@sharp-ideas.net,securitylist@sharp-ideas.net
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-AntiAbuse: This header was added to track abuse, please include it with any
	abuse report
X-AntiAbuse: Primary Hostname - ephraim.got-servers.net
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sharp-ideas.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: MonkeyShell: using XML-RPC for access to a remote shell
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2004 00:57:41 -0000

Security pundits have been warning about the dangers implicit with Web
services for years. A good starting point for understanding the security
issues related to Web services can be found at:
http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci872720,00.html

Of course to really understand the security risks posed by Web services,
you need to understand the basics of Web services. Enter an application
I wrote called "Monkey Shell."

MonkeyShell is a simple open source Python application that uses
extensible markup language remote procedure calls (XML-RPC) to execute
commands through a remote system shell.

I kept the code terse (less than 100 lines total) so that it can be
studied easily.  It is similar to netcat except instead of "shell
shoveling" data through a raw TCP connection, it wraps data in XML and
transports it over HTTP.

MonkeyShell is freely available at:
http://www.sharp-ideas.net/

Cheers,
Abe Usher, CISSP