TinyWeb OS Command Injection Vulnerability in CGI ISINDEX Queries

A critical OS command injection vulnerability has been identified in TinyWeb HTTP Server versions prior to 1.98. The issue arises in the CGI ISINDEX query handling, where query parameters are passed as command-line arguments to the CGI executable without proper sanitization. This allows unauthenticated remote attackers to inject Windows shell metacharacters through HTTP requests, executing arbitrary commands on the server. The vulnerability is present in all versions from 0.5 up to 1.97.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server. Additionally, according to the advisory, this vulnerability could lead to information disclosure, a denial-of-service condition, and privilege escalation.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to a CGI script with a query string that includes shell metacharacters. The TinyWeb server must be running a version prior to 1.98, and there should be at least one CGI script in the 'cgi-bin' directory. The injected metacharacters will be processed by the Windows command interpreter, executing the specified commands.

Remediation

Users are advised to upgrade to TinyWeb version 1.98 or later, where this vulnerability has been fixed. If an upgrade is not possible, remove or disable all CGI scripts from the 'cgi-bin' directory.