CVE-2022-44117: Boa 0.94.14rc21 is vulnerable to SQL Injection via username. Only reference is a gist with the CVE description. I've commented asking for more information, maybe it won't be deleted this time.
I'm really surprised to hear this, given that: $ grep -Ri sql yields nothing (and I was genuinely surprised to hear boa and SQL in the same sentence). Perhaps it's somehow related to: https://www.bleepingcomputer.com/news/security/hackers-breach-energy-orgs-via-bugs-in-discontinued-web-server/
CVE-2017-9833 (https://pastebin.com/raw/rt7LJvyF): https://www.exploit-db.com/exploits/42290/ /cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. CVE-2021-33558 (https://sourceforge.net/projects/boa/files/boa/0.94.13/): https://github.com/mdanzaruddin/CVE-2021-33558. Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. Both of these seem unfixed. GitHub reference for CVE-2021-33558 is 404, though.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a5499ece7be858c7b06025771198c78435f97b4 commit 1a5499ece7be858c7b06025771198c78435f97b4 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-28 04:46:43 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-28 04:54:13 +0000 profiles: last rite www-servers/boa Bug: https://bugs.gentoo.org/882773 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
CVE-2022-45956 (https://packetstormsecurity.com/files/169962/Boa-Web-Server-0.94.13-0.94.14-Authentication-Bypass.html): Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b5705101b99fa9fa430a2f52bc7330e45f32135 commit 8b5705101b99fa9fa430a2f52bc7330e45f32135 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-12-31 18:18:02 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-12-31 18:30:57 +0000 www-servers/boa: treeclean Closes: https://bugs.gentoo.org/882773 Closes: https://bugs.gentoo.org/715460 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> profiles/package.mask | 5 - www-servers/boa/Manifest | 1 - www-servers/boa/boa-0.94.14_rc21-r2.ebuild | 63 ------- .../boa/files/boa-0.94.14_rc21-ENOSYS.patch | 17 -- www-servers/boa/files/boa-0.94.14_rc21-texi.patch | 14 -- www-servers/boa/files/boa.conf | 191 ------------------- www-servers/boa/files/boa.conf.d | 4 - www-servers/boa/files/boa.initd | 28 --- www-servers/boa/files/boa.service | 9 - www-servers/boa/files/mime.types | 205 --------------------- www-servers/boa/metadata.xml | 8 - 11 files changed, 545 deletions(-)