Boa Web Server 0.94.13 / 0.94.14 Authentication Bypass

2022.11.22
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Boa Web Server 0.94.13-0.94.14 Authentication Bypass # Date: 19-11-2022 # Exploit Author: George Tsimpidas # Vendor: https://github.com/gpg/boa # CVE: N/A # Tested on: Debian 5.18.5 Description : Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the correct security constraint on the HEAD http method allowing everyone to bypass the Basic Authorization Mechanism. Culprit : if (!memcmp(req->logline, "GET ", 4)) req->method = M_GET; else if (!memcmp(req->logline, "HEAD ", 5)) /* head is just get w/no body */ req->method = M_HEAD; else if (!memcmp(req->logline, "POST ", 5)) req->method = M_POST; else { log_error_doc(req); fprintf(stderr, "malformed request: \"%s\"\n", req->logline); send_r_not_implemented(req); return 0; } The req->method = M_HEAD; is being parsed directly on the response.c file, looking at how the method is being implemented for one of the response codes : /* R_NOT_IMP: 505 */ void send_r_bad_version(request * req) { SQUASH_KA(req); req->response_status = R_BAD_VERSION; if (!req->simple) { req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n"); print_http_headers(req); req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate header */ } if (req->method != M_HEAD) { req_write(req, "<HTML><HEAD><TITLE>505 HTTP Version Not Supported</TITLE></HEAD>\n" "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP versions " "other than 0.9 and 1.0 " "are not supported in Boa.\n<p><p>Version encountered: "); req_write(req, req->http_version); req_write(req, "<p><p></BODY></HTML>\n"); } req_flush(req); } Above code condition indicates that if (req->method != M_HEAD) therefore if the the requested method does not equal to M_HEAD then req_write(req, "<HTML><HEAD><TITLE>505 HTTP Version Not Supported</TITLE></HEAD>\n" "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP versions " "other than 0.9 and 1.0 " "are not supported in Boa.\n<p><p>Version encountered: "); req_write(req, req->http_version); req_write(req, "<p><p></BODY></HTML>\n"); } So if the method actually contains the http method of HEAD it's being passed for every function that includes all the response code methods.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top