Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BOA Webserver local path problem

From: conraduno () BINXDSIGN COM (Ian Shaughnessy)
Date: Wed, 28 Jun 2000 19:56:18 -0700

Ok, I feel like royal idiot now.  It turns out that the problem here does
not lie in Boa, it lies in the fact that I was using lynx to test
it.  Apparently when lynx is given a url such as
a.b.c.d/../../../../etc/passwd it spits out the localhost /etc/passwd
file, not even attempting to retrieve this from the remote a.b.c.d
server.  I had mistakenly interpreted this as being Boa's problem due to
the fact that the /etc/passwd files are the same on both of these
machines  that I tested and found this on.  I have since tested
this on more boxes and that was when I realized it was lynx.  Let me
apologize for any confusion I have caused.
Does anyone have any idea why lynx would show this behaviour however?  I
found it spit out the local /etc/passwd file both when it was started with
that url (like)
[user@host]# lynx a.b.c.d/../../../etc/passwd
and when I entered it into the G)o field.  Anyways, once again sorry for
the confusion; hope i didnt piss off/worry too many ppl out there.

// Ian Shaughnessy
// conraduno () binxdsign com

On Wed, 28 Jun 2000, Joey Hess wrote:


Ian Shaughnessy wrote:

A quick little security hole...
BOA Webserver (http://www.boa.org) is a small fast webserver that supports
only basic functions.  It beats the pants off of apache for speed however,
the only problem is that it does not do any URL parsing.



Basically you can specify the full
local path to any file on a Boa webserver and out it spits the
contents.  i.e. http://www.boaserver.com/../../../../etc/passwd returns
the full contents of the passwd file.  The only way to get around this is
to make all files that you dont want viewed -rw-rw----, any world
permissions for read and boa can see it.


<joeyh_> so boa does do path parsing or a chroot?
<Slimer> joeyh_: No chroot.  It takes '/../' and converts it to '/' (not
RFC compliant)

Slimer is Jonathon D Nelson <jnelson () boa org>. I have also tried to
reproduce the report with boa 0.93.15 and failed:

joey@gumdrop:~>wget http://lollypop/../../../../../../../../etc/passwd
--13:41:22--  http://lollypop:80/etc/passwd
           => `passwd'
Connecting to lollypop:80... connected!
HTTP request sent, awaiting response... 404 Not Found
13:41:22 ERROR 404: Not Found.


It admits this (somewhere on the page it says you better lock down your
file system real  good), but the problem still remains.


All I can find on the boa web page about security is this:
(http://www.boa.org/boa-2.html#ss2.4)

  Boa has been designed to use the existing file system security.
  In boa.conf, the directives user and group determine who Boa will run
  as, if launched by root. By default, the user/group is nobody/nogroup.
  This allows quite a bit of flexibility. For example, if you want to
  disallow access to otherwise accessible directories or files, simply make
  them inaccessible to nobody/nogroup. If the user that Boa runs as is "boa"
  and the groups that "boa" belongs to include "web-stuff" then
  files/directories accessible by users with group "web-stuff" will also
  be accessible to Boa.

Perhaps you should tell us the url to the page that says that
"you better lock down your file system real good".

--
see shy jo
Previous By Date Next
Previous By Thread Next

Current thread: