Bugtraq mailing list archives
BOA Webserver local path problem
From: conraduno () BINXDSIGN COM (Ian Shaughnessy)
Date: Tue, 27 Jun 2000 16:38:56 -0700
A quick little security hole... BOA Webserver (http://www.boa.org) is a small fast webserver that supports only basic functions. It beats the pants off of apache for speed however, the only problem is that it does not do any URL parsing. It admits this (somewhere on the page it says you better lock down your file system real good), but the problem still remains. Basically you can specify the full local path to any file on a Boa webserver and out it spits the contents. i.e. http://www.boaserver.com/../../../../etc/passwd returns the full contents of the passwd file. The only way to get around this is to make all files that you dont want viewed -rw-rw----, any world permissions for read and boa can see it. Like I said already, they put a small disclaimer about this on their page, so this warning is more for people running this server who did _not_ realize this was a problem. // Ian Shaughnessy // conraduno () binxdsign com
Current thread:
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Frank da Cruz (Jun 23)
- Possible root exploit in ISC DHCP client. Ted Lemon (Jun 24)
- Re: Possible root exploit in ISC DHCP client. Security (Jun 28)
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Mitchell Blank Jr (Jun 24)
- <Possible follow-ups>
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Frank da Cruz (Jun 24)
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Stan Bubrouski (Jun 24)
- Proxy+ Telnet Gateway Problems Andrew Lewis (Jun 26)
- BOA Webserver local path problem Ian Shaughnessy (Jun 27)
- Possible root exploit in ISC DHCP client. Ted Lemon (Jun 24)