Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Boa Web Server v0.94.14 - Authentication Bypass

🗓️ 30 Mar 2023 00:00:00Reported by George TsimpidasType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 240 Views

Boa Web Server v0.94.14 - Authentication Bypass, HTTP method validation issue, bypss Basic Authorizatio

Code
# Exploit Title: Boa Web Server v0.94.14 - Authentication Bypass
#Date: 19-11-2022
# Exploit Author: George Tsimpidas 
# Vendor: https://github.com/gpg/boa
# CVE: N/A 
# Tested on: Debian 5.18.5

Description :

Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the
correct security constraint on the HEAD http method allowing everyone
to bypass the Basic Authorization Mechanism.

Culprit :

if (!memcmp(req->logline, "GET ", 4))
req->method = M_GET;
else if (!memcmp(req->logline, "HEAD ", 5))
/* head is just get w/no body */
req->method = M_HEAD;
else if (!memcmp(req->logline, "POST ", 5))
req->method = M_POST;
else {
log_error_doc(req);
fprintf(stderr, "malformed request: \"%s\"\n", req->logline);
send_r_not_implemented(req);
return 0;
}

The req->method = M_HEAD; is being parsed directly  on the  response.c
file, looking at how the method is being implemented for one of the
response codes :

/* R_NOT_IMP: 505 */
void send_r_bad_version(request * req)
{
    SQUASH_KA(req);
    req->response_status = R_BAD_VERSION;
    if (!req->simple) {
        req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");
        print_http_headers(req);
        req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate
header */
    }
    if (req->method != M_HEAD) {
        req_write(req,
                  "<HTML><HEAD><TITLE>505 HTTP Version Not
Supported</TITLE></HEAD>\n"
                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
versions "
                  "other than 0.9 and 1.0 "
                  "are not supported in Boa.\n<p><p>Version encountered: ");
        req_write(req, req->http_version);
        req_write(req, "<p><p></BODY></HTML>\n");
    }
    req_flush(req);
}


Above code condition indicates that if (req->method != M_HEAD)  therefore
if the the requested method does not equal to M_HEAD then

req_write(req,
                  "<HTML><HEAD><TITLE>505 HTTP Version Not
Supported</TITLE></HEAD>\n"
                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
versions "
                  "other than 0.9 and 1.0 "
                  "are not supported in Boa.\n<p><p>Version encountered: ");
        req_write(req, req->http_version);
        req_write(req, "<p><p></BODY></HTML>\n");
    }

So if the method actually contains the http method of HEAD it's being
passed  for every function that includes all the response code methods.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Mar 2023 00:00Current
7.4High risk
Vulners AI Score7.4
boa web serverauthentication bypasshttp methodvalidation issuebasic authorizationexploitsecurity constraintresponse code
240