back to article Still using a discontinued Boa web server? Microsoft warns of supply chain attacks

Microsoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology. Those affected may be unaware that their devices run services using the discontinued Boa …

  1. Jou (Mxyzptlk) Silver badge

    Not even SSL...

    Boa, how con someone use this thing on the net today?

    1. DoContra

      Re: Not even SSL...

      Leaving aside the debate of Encrypt all the things or not, the last update was in... 2005! (And if there ever was a svn/cvs repo in SourceForge, it hasn't survived the conversion to git...). If for whatever reason you need a brutally small HTTP server, there's always OpenWRT's uhttpd, which supports SSL and even supports CGI (or at least something close enough). Otherwise, nginx can be slimmed down quite a bit (~2MB + deps install size for the nginx-light debian package, which has some room to be slimmed down).

      1. Captain Scarlet

        Re: Not even SSL...

        Wtf there is a y2k statement on the website!

        "There are no access control features

        Boa will follow symbolic links, and serve any file that it can read. The expectation is that you will configure Boa to run as user "nobody", and only files configured world readable will come out. See the todo.txt to-do list."

      2. Pirate Dave Silver badge

        Re: Not even SSL...

        " Otherwise, nginx can be slimmed down quite a bit (~2MB + deps install size for the nginx-light debian package, which has some room to be slimmed down)."

        Just at a guess: (from's page)

        " Supposedly, an older version of Boa, v0.92q, runs in 32K address space on m68k, like used in uCLinux."

        I'm not an embedded guy, but I would imagine that to those that are, there's quite a lot of difference between a webserver that can possibly run in ~32K vs one that needs ~2M+.

  2. PRR Silver badge

    > Microsoft is warning ... exploiting security flaws

    Pot, meet kettle.

    Back in 1997(?) I ran MS's PWS (a cut-down of MS's IIS big info server). For about a month. The more I poked it, the more I was sure it was like leaving the keys in the lock and not having a dog around. The dang thing could not count slashes right, forward or backward. Multiple hacks existed. Gee MicroSoft, why should I be surprised?

    OT: Apache was a thing but I was not smart enough for it. Server Watch listed XITAMI. Small, limited features, all the essentials (powerful SSI hook), litewait, free. Was a good pick. In 2005 an exploit was reported, but an intruder had to already be in the system to exploit it.

    Apache had improved (I didn't get a lot smarter) so I moved to that for the main server. Xitami lingered on a club server until the boss bought us One Server To Serve Them All (aka one egg-basket) and I v-hosted the clubs in a corner of that machine.

    Can you tell I get excited when MicroSoft says Look over there! A vulnerability!!"? Beam in the eye indeed.

  3. sgp

    "All new development will begin with the 0.95 series, which is not yet public." -

    So it'll be fixed soon.

    1. Pirate Dave Silver badge

      It does make you wonder that with this being OSS, why hasn't RealTek or one of the other SoC/embedded players forked this off and done some maintenance? Or maybe they have, but never released their changes, since the project is obviously dead and unmaintained.

      1. Sceptic Tank Silver badge

        Someone appears to still pay for the hosting.

        I think.


        1. Pirate Dave Silver badge

          Their Whois lookup shows the domain was renewed at Network Solutions in 2019 for 5 years. A reverse lookup for their www IP shows it's hosted at Linode. Does Linode offer "free" hosting? The cheapest plan I see is $5/month. Or maybe they got a "free" plan back in the mists of time and are still using it.

          A little more gentle digging and it looks like may be hosted on a Debian box, under Apache (not Boa, as I was hoping...)

          So I guess somebody's still keeping the lights on, at least.

    2. Sceptic Tank Silver badge

      Real soon now...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like