Bugtraq mailing list archives
Re: BOA Webserver local path problem
From: conraduno () BINXDSIGN COM (Ian Shaughnessy)
Date: Wed, 28 Jun 2000 19:56:18 -0700
Ok, I feel like royal idiot now. It turns out that the problem here does not lie in Boa, it lies in the fact that I was using lynx to test it. Apparently when lynx is given a url such as a.b.c.d/../../../../etc/passwd it spits out the localhost /etc/passwd file, not even attempting to retrieve this from the remote a.b.c.d server. I had mistakenly interpreted this as being Boa's problem due to the fact that the /etc/passwd files are the same on both of these machines that I tested and found this on. I have since tested this on more boxes and that was when I realized it was lynx. Let me apologize for any confusion I have caused. Does anyone have any idea why lynx would show this behaviour however? I found it spit out the local /etc/passwd file both when it was started with that url (like) [user@host]# lynx a.b.c.d/../../../etc/passwd and when I entered it into the G)o field. Anyways, once again sorry for the confusion; hope i didnt piss off/worry too many ppl out there. // Ian Shaughnessy // conraduno () binxdsign com On Wed, 28 Jun 2000, Joey Hess wrote:
Ian Shaughnessy wrote:A quick little security hole... BOA Webserver (http://www.boa.org) is a small fast webserver that supports only basic functions. It beats the pants off of apache for speed however, the only problem is that it does not do any URL parsing.Basically you can specify the full local path to any file on a Boa webserver and out it spits the contents. i.e. http://www.boaserver.com/../../../../etc/passwd returns the full contents of the passwd file. The only way to get around this is to make all files that you dont want viewed -rw-rw----, any world permissions for read and boa can see it.<joeyh_> so boa does do path parsing or a chroot? <Slimer> joeyh_: No chroot. It takes '/../' and converts it to '/' (not RFC compliant) Slimer is Jonathon D Nelson <jnelson () boa org>. I have also tried to reproduce the report with boa 0.93.15 and failed: joey@gumdrop:~>wget http://lollypop/../../../../../../../../etc/passwd --13:41:22-- http://lollypop:80/etc/passwd => `passwd' Connecting to lollypop:80... connected! HTTP request sent, awaiting response... 404 Not Found 13:41:22 ERROR 404: Not Found.It admits this (somewhere on the page it says you better lock down your file system real good), but the problem still remains.All I can find on the boa web page about security is this: (http://www.boa.org/boa-2.html#ss2.4) Boa has been designed to use the existing file system security. In boa.conf, the directives user and group determine who Boa will run as, if launched by root. By default, the user/group is nobody/nogroup. This allows quite a bit of flexibility. For example, if you want to disallow access to otherwise accessible directories or files, simply make them inaccessible to nobody/nogroup. If the user that Boa runs as is "boa" and the groups that "boa" belongs to include "web-stuff" then files/directories accessible by users with group "web-stuff" will also be accessible to Boa. Perhaps you should tell us the url to the page that says that "you better lock down your file system real good". -- see shy jo
Current thread:
- Re: BOA Webserver local path problem Ian Shaughnessy (Jun 28)