TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`).
The error classified as CWE-78 (OS command injection) and CWE-88 (argument injection) involves improper validation of parameters passed via URL to executable CGI files. An attacker can craft an HTTP request containing query string parameters starting with a dash (`-`) or containing encoded quotes (`%22`), which are then passed directly as command-line arguments to the CGI process. When using interpreters such as `php-cgi.exe`, such arguments can be interpreted as switches controlling program behavior, leading to arbitrary code execution or source file disclosure.
An unauthenticated remote attacker can execute arbitrary code on the server (RCE) or gain access to the source code of hosted scripts, which may lead to system takeover and data breach.
Update TinyWeb to version 2.01, where the issue has been fixed. If immediate update is not possible: ensure that the `STRICT_CGI_PARAMS` option is enabled (defined by default in the `define.inc` file), avoid using CGI executable files that accept unsafe command-line flags (e.g., `php-cgi.exe`). When hosting PHP, it is recommended to place the server behind a Web Application Firewall (WAF) that blocks query string parameters starting with `-` or containing encoded quotes (`%22`).
Ritlabs TinyWeb in versions prior to 2.01 — affects anyone hosting CGI scripts (particularly in interpreted languages such as PHP) using vulnerable server versions.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XRitlabs Tinyweb
APPRitlabs< 2.01
Related vulnerabilities
Integer overflow w TinyWeb umożliwia HTTP Request Smuggling
TinyWeb: nieprawidłowa walidacja nagłówków HTTP umożliwia header injection
Command injection w TinyWeb HTTP Server via parametry CGI ISINDEX
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerab...
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denia...