BOA Web Server 0.94.14rc21 - Arbitrary File Access

EDB-ID: 42290
Author: Miguel Mendez Z
Published: 2017-06-20
CVE: CVE-2017-9833
Type: Webapps
Platform: Linux
Vulnerable App: N/A

Title: Vulnerability in BOA Webserver 0.94.14
Date: 20-06-2017
Status: Vendor contacted, patch available
Scope: Arbitrary file access
Platforms: Unix
Author: Miguel Mendez Z
Vendor Homepage:
Version: Boa Webserver 0.94.14rc21
CVE: CVE-2017-9833

Vulnerability description
-We can read any file located on the server
The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials

Vulnerable variable:

Exploit link:


Related Posts