Boa is a simple and lightweight HTTP server which is occasionally still found in embedded firmware images for serving CGI scripts, files, and more. 0.94.13 is the last stable version, and was released in 2002.
- CVE-2009-4496 - Discovered by the ush.it team: Boa's error logs in 0.94.13 (and likely earlier) through 0.94.14-rc21 do not sanitize non-printable characters, which may allow a remote attacker to modify a window's title, possibly execute arbitrary commands or overwrite files, etc. via an HTTP request containing an escape sequence for a terminal emulator.
- Failure to set a DefaultType in the boa.conf configuration file will result in requests without a clear MIME type (ex. %F5) causing a segfault in
alias.catif (strcmp(CGI_MIME_TYPE, get_mime_type(buffer)) == 0), in which the returned value fromget_mime_type()is null. This terminates Boa and creates an easy DoS, though this is more of an unfortunate misconfiguration (avoided by using a default config) than an explicit vulnerability.
This repository contains Boa 0.94.13 with minimal changes. It should not be considered meaningfully enhanced from the original source. However, it does contain some integrations and output from tools to help identify security hotspots and bad practices.
- 2020-05-09 - Mirrored tarball of idlookup-1.2 from Peter Eriksson to
extras/, required byexamples/cgi-test.cgiandexamples/nph-test.cgi - 2020-05-08 - Fixed preprocessing token error in
src/compat.h, which was preventing compilation.
- LGTM - performs QL-based quality and security checks on the main repository as well as any PRs to help identify & track security hotspots.
- Travis CI - builds Boa on Linux and macOS with GCC & Clang to ensure that changes don't immediately introduce quality issues.
Some SAST tools are run manually on the latest version of this software to identify potential hotspots. Listed in increasing order of complexity, they are:
- flawfinder - scans for potentially insecure functions being used in C programs.
- cppcheck - performs flow sensitive analysis to check C/C++ code for undefined behavior.
- infer - a modular verification and analysis engine that checks Java/C/Obj-C code for null pointer dereferences and resource or memory leaks.
Summary 2020-05-08: Boa does not conform to modern, secure coding practices - which is expected - and has a number of potentially severe issues to investigate.
We apply security tools & processes to assist developers in determining if legacy software is the right choice for their application. Where reasonable we will attempt to upgrade the security, reliability, and quality of legacy software.
However, we are not volunteering to be new maintainers for this software. We will not develop new features or substantially change its functionality. Please report bugs that result in security problems to us using the Issues tab and we will look into fixing them. Other bugs, feature requests, usability issues, etc. will be largely ignored or closed without warning.
This work is licensed under the GNU GPLv2. This includes modifications by the SHRuG working group. In particular, we'd like to remind you of the "NO WARRANTY" section, as follows:
-
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.