[15545] in bugtraq
Re: BOA Webserver local path problem
daemon@ATHENA.MIT.EDU (Ian Shaughnessy)
Thu Jun 29 02:21:11 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006281950110.31772-100000@binxdsign.com>
Date: Wed, 28 Jun 2000 19:56:18 -0700
Reply-To: Ian Shaughnessy <conraduno@BINXDSIGN.COM>
From: Ian Shaughnessy <conraduno@BINXDSIGN.COM>
X-To: Joey Hess <joey@kitenet.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000628134243.B5935@kitenet.net>
Ok, I feel like royal idiot now. It turns out that the problem here does
not lie in Boa, it lies in the fact that I was using lynx to test
it. Apparently when lynx is given a url such as
a.b.c.d/../../../../etc/passwd it spits out the localhost /etc/passwd
file, not even attempting to retrieve this from the remote a.b.c.d
server. I had mistakenly interpreted this as being Boa's problem due to
the fact that the /etc/passwd files are the same on both of these
machines that I tested and found this on. I have since tested
this on more boxes and that was when I realized it was lynx. Let me
apologize for any confusion I have caused.
Does anyone have any idea why lynx would show this behaviour however? I
found it spit out the local /etc/passwd file both when it was started with
that url (like)
[user@host]# lynx a.b.c.d/../../../etc/passwd
and when I entered it into the G)o field. Anyways, once again sorry for
the confusion; hope i didnt piss off/worry too many ppl out there.
// Ian Shaughnessy
// conraduno@binxdsign.com
On Wed, 28 Jun 2000, Joey Hess wrote:
> Ian Shaughnessy wrote:
> > A quick little security hole...
> > BOA Webserver (http://www.boa.org) is a small fast webserver that supports
> > only basic functions. It beats the pants off of apache for speed however,
> > the only problem is that it does not do any URL parsing.
>
> > Basically you can specify the full
> > local path to any file on a Boa webserver and out it spits the
> > contents. i.e. http://www.boaserver.com/../../../../etc/passwd returns
> > the full contents of the passwd file. The only way to get around this is
> > to make all files that you dont want viewed -rw-rw----, any world
> > permissions for read and boa can see it.
>
> <joeyh_> so boa does do path parsing or a chroot?
> <Slimer> joeyh_: No chroot. It takes '/../' and converts it to '/' (not
> RFC compliant)
>
> Slimer is Jonathon D Nelson <jnelson@boa.org>. I have also tried to
> reproduce the report with boa 0.93.15 and failed:
>
> joey@gumdrop:~>wget http://lollypop/../../../../../../../../etc/passwd
> --13:41:22-- http://lollypop:80/etc/passwd
> => `passwd'
> Connecting to lollypop:80... connected!
> HTTP request sent, awaiting response... 404 Not Found
> 13:41:22 ERROR 404: Not Found.
>
> > It admits this (somewhere on the page it says you better lock down your
> > file system real good), but the problem still remains.
>
> All I can find on the boa web page about security is this:
> (http://www.boa.org/boa-2.html#ss2.4)
>
> Boa has been designed to use the existing file system security.
> In boa.conf, the directives user and group determine who Boa will run
> as, if launched by root. By default, the user/group is nobody/nogroup.
> This allows quite a bit of flexibility. For example, if you want to
> disallow access to otherwise accessible directories or files, simply make
> them inaccessible to nobody/nogroup. If the user that Boa runs as is "boa"
> and the groups that "boa" belongs to include "web-stuff" then
> files/directories accessible by users with group "web-stuff" will also
> be accessible to Boa.
>
> Perhaps you should tell us the url to the page that says that
> "you better lock down your file system real good".
>
> --
> see shy jo
>
