-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-042 Product: Tiny Java Web Server and Servlet Container (TJWS) Manufacturer: D. Rogatkin Affected Versions: <= 1.115 Tested Versions: 1.107, 1.114 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2021-07-21 Solution Date: 2021-07-23 Public Disclosure: 2021-08-03 CVE Reference: CVE-2021-37573 Author of Advisory: Maurizio Ruchay, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Tiny Java Web Server and Servlet Container (TJWS) is a lightweight web server written in Java. The manufacturer describes the product as follows (see [1]): "The Miniature Java Web Server is built as a servlet container with HTTPD servlet providing standard Web server functionality." Due to improper input validation, the application is vulnerable to a reflected cross-site scripting attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to inject malicious JavaScript code into the server's error page "404 Page Not Found". The given input is not properly validated and therefore reflected back and executed in a victim's browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following GET request shows how JavaScript code can be placed on the page: === HTTP request: GET /te%3Cimg%20src=x%20onerror=alert(42)%3Est HTTP/1.1 [...] Connection: close HTTP response: HTTP/1.1 404 test not found server: D. Rogatkin's TJWS (+Android, JSR340, JSR356) https://github.com/drogatkin/TJWS2.git/Version 1.114 [...] content-length: 338 connection: close 404 te<img src=x onerror=alert(42)>st not found [...]

404 test not found

[...] === If a browser renders the response, the JavaScript code is executed showing the message "42". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue has been addressed in the release version 1.116.[2] Therefore, all instances of TJWS should be updated to this version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-07-02: Vulnerability discovered 2021-07-21: Vulnerability reported to manufacturer 2021-07-23: Patch released by manufacturer 2021-08-03: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Tiny Java Web Server and Servlet Container (TJWS): http://tjws.sourceforge.net/ [2] Patch release on Github: https://github.com/drogatkin/TJWS2/releases/tag/v1.116 [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Maurizio Ruchay of SySS GmbH. E-Mail: maurizio.ruchay@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc Key ID: 0xC7D20E267F0FA978 Key Fingerprint: D506 AB5A FE3E 09AE FFBE DEB2 C7D2 0E26 7F0F A978 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1QarWv4+Ca7/vt6yx9IOJn8PqXgFAmEJMUUACgkQx9IOJn8P qXgz+A/6AgddWBTaCddnlNbohPDEsqOG9gxGeFTzMHSDJo8KQjmAMY2QYY/9a2AV dr68yv9+WPodhQchLjiOJHd6sb1YKazMqKp72xuE6KIeIdsMnGgAOoSdWDJ/0520 mCHW1rM3SFsLJIUl/OZ6nm/dR77VFEk5jeNEcg7KkQ4KZsPASJkqCnSX931AD76y UygrGXp1tROz/lqIjSPj8GWuTPI/dNrw78TIO04IK2II5WeFMOS3S3qHtNEX6fde 7sf7xF1/4k+/KDsHyPjJlQetK5yBM0W5jRoRYZtOSopVqvWoFLvU6m+ipzN0Yn7v bXDbQ43UUigK74zAnlhZKz1B/5kEu45iWFElkrDrYUBYHZgVRVxHQyJD6TM3zpwr q86d7lILtoiGqL4yxcgF8e7f6tVUEJmH19fG+5jwQBjD3ntLLl9rkwNszRWt2xG4 +1Fa7uWL1ZKLKyBzrKJdN84iPoGvzOcJ++K06Zc6joM8o2uOxu31WeSBEdwbCgvp SNvobzKlp6XDSuMjVkltpCW+e9E5eSwZM87FP8IrXCByxU8DMCTv5KBeephdevw/ FfAtQOHut31aJrlKD5mQz5WItLKbdxIR5GQXBnlw7U1Xig3o/q+Q9xP8Un6EWo9N 785JVoWs7430Qvsr0j4rcN3Q9FB30ignoiA/xsyYwySQRh8HvwA= =w3ts -----END PGP SIGNATURE-----