Still using a discontinued Boa web server? Microsoft warns of supply chain attacks Microsoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology. Those affected may be unaware that their devices run services using the discontinued Boa …
Leaving aside the debate of Encrypt all the things or not, the last update was in... 2005! (And if there ever was a svn/cvs repo in SourceForge, it hasn't survived the conversion to git...). If for whatever reason you need a brutally small HTTP server, there's always OpenWRT's uhttpd, which supports SSL and even supports CGI (or at least something close enough). Otherwise, nginx can be slimmed down quite a bit (~2MB + deps install size for the nginx-light debian package, which has some room to be slimmed down).
Wtf there is a y2k statement on the website!
"There are no access control features
Boa will follow symbolic links, and serve any file that it can read. The expectation is that you will configure Boa to run as user "nobody", and only files configured world readable will come out. See the todo.txt to-do list."
" Otherwise, nginx can be slimmed down quite a bit (~2MB + deps install size for the nginx-light debian package, which has some room to be slimmed down)."
Just at a guess: (from boa.org's page)
" Supposedly, an older version of Boa, v0.92q, runs in 32K address space on m68k, like used in uCLinux."
I'm not an embedded guy, but I would imagine that to those that are, there's quite a lot of difference between a webserver that can possibly run in ~32K vs one that needs ~2M+.
> Microsoft is warning ... exploiting security flaws
Pot, meet kettle.
Back in 1997(?) I ran MS's PWS (a cut-down of MS's IIS big info server). For about a month. The more I poked it, the more I was sure it was like leaving the keys in the lock and not having a dog around. The dang thing could not count slashes right, forward or backward. Multiple hacks existed. Gee MicroSoft, why should I be surprised?
OT: Apache was a thing but I was not smart enough for it. Server Watch listed XITAMI. Small, limited features, all the essentials (powerful SSI hook), litewait, free. Was a good pick. In 2005 an exploit was reported, but an intruder had to already be in the system to exploit it.
Apache had improved (I didn't get a lot smarter) so I moved to that for the main server. Xitami lingered on a club server until the boss bought us One Server To Serve Them All (aka one egg-basket) and I v-hosted the clubs in a corner of that machine.
Can you tell I get excited when MicroSoft says Look over there! A vulnerability!!"? Beam in the eye indeed.
Their Whois lookup shows the domain was renewed at Network Solutions in 2019 for 5 years. A reverse lookup for their www IP shows it's hosted at Linode. Does Linode offer "free" hosting? The cheapest plan I see is $5/month. Or maybe they got a "free" plan back in the mists of time and are still using it.
A little more gentle digging and it looks like boa.org may be hosted on a Debian box, under Apache (not Boa, as I was hoping...)
So I guess somebody's still keeping the lights on, at least.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
