TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.
HTTP query parameters in ISINDEX style are passed directly as command-line arguments to the CGI executable file through the Windows CreateProcess() function. An attacker can inject special Windows shell metacharacters into the HTTP request, leading to execution of unintended operating system commands. The vulnerability does not require authentication or any user interaction.
An attacker can execute arbitrary commands on the server with TinyWeb process privileges, potentially gaining full control over the operating system and internal resources.
TinyWeb should be updated to version 1.98, in which the vulnerability was fixed. The patch is available in the project repository on GitHub (commit 876b7e2).
Ritlabs TinyWeb HTTP Server versions prior to 1.98 (server running on Win32 platform)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XRitlabs Tinyweb
APPRitlabs< 1.98
Related vulnerabilities
Integer overflow w TinyWeb umożliwia HTTP Request Smuggling
TinyWeb: nieprawidłowa walidacja nagłówków HTTP umożliwia header injection
RCE lub ujawnienie kodu źródłowego w TinyWeb przez pominięcie kontroli parametrów CGI
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerab...
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denia...