BOA Web Server 0.94.14rc21 Arbitrary File Access

BOA Web Server version 0.94.14rc21 an arbitrary file access vulnerability.

MD5 | aaea3bb5ba1b420b9f8f2471697656b2

BOA Web Server 0.94.14 - Access to arbitrary files as privileges

Title: Vulnerability in BOA Webserver 0.94.14
Date: 20-06-2017
Status: Vendor contacted, patch available
Scope: Arbitrary file access
Platforms: Unix
Author: Miguel Mendez Z
Vendor Homepage:
Version: Boa Webserver 0.94.14rc21
CVE: CVE-2017-9833

Vulnerability description
-We can read any file located on the server
The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials

Vulnerable variable:

Exploit link:


Related Posts