Maximmasiutin

**Name of the Vulnerable Software and Affected Versions** TinyWeb versions prior to 2.03 **Description** An integer overflow exists in the string-to-integer conversion routine (` Val`). This allows a remote, unauthenticated attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. Successful exploitation can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers utilizing persistent connections (Keep-Alive). **Recommendations** Update to version 2.03 or later.

**Name of the Vulnerable Software and Affected Versions** TinyWeb versions prior to 2.04 **Description** TinyWeb, a web server for Win32, is susceptible to a header value confusion issue due to insufficient sanitization of control characters (CR, LF, and NUL, including encoded forms like %0d, %0a, and %00) within HTTP request headers. The parser's failure to strictly reject these characters and consistently defend against encoded forms can lead to unsafe data being introduced into the CGI execution context via HTTP * environment variables. This could potentially enable malicious manipulation of CGI processes. **Recommendations** Update to version 2.04 or later.

**Name of the Vulnerable Software and Affected Versions** TinyWeb versions prior to 2.01 **Description** TinyWeb, a web server for Win32, contains a flaw where unauthenticated remote attackers can circumvent the CGI parameter security controls. This can lead to source code disclosure or remote code execution (RCE), depending on the server’s configuration and the CGI executable being used. Systems hosting CGI scripts, such as PHP, are potentially affected. The issue is addressed in version 2.01. **Recommendations** Update to version 2.01. If an immediate upgrade is not possible, ensure `STRICT CGI PARAMS` is enabled. If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that blocks URL query string parameters beginning with a hyphen (`-`) or containing encoded double quotes (`%22`).

**Name of the Vulnerable Software and Affected Versions** TinyWeb versions prior to 2.02 **Description** TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. The server creates a new operating system thread for each incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data very slowly. This is known as a Slowloris attack. The `CMaxConnections` limit is set to 512 and the `CConnectionTimeoutSecs` idle timeout is set to 30 seconds in version 2.02. **Recommendations** Versions prior to 2.02 should be upgraded to version 2.02.

**Name of the Vulnerable Software and Affected Versions** TinyWeb versions prior to 2.02 **Description** TinyWeb is a web server written in Delphi for Win32. Versions prior to 2.02 are susceptible to a Denial of Service (DoS) condition caused by memory exhaustion. An unauthenticated remote attacker can send an HTTP POST request to the server with a very large `Content-Length` header, such as `2147483647`. The server allocates memory for the request body (`EntityBody`) continuously while processing the payload, without any size restrictions. This leads to the consumption of all available memory, ultimately causing the server to crash. Any service hosted using TinyWeb is potentially impacted. The issue is resolved in version 2.02, which introduces a `CMaxEntityBodySize` limit of 10MB for incoming payloads. **Recommendations** Versions prior to 2.02 should be upgraded to version 2.02 or later. As a temporary workaround, if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to limit the maximum allowed HTTP request body size (e.g., `client max body size` in nginx).

**Name of the Vulnerable Software and Affected Versions** Ritlabs TinyWeb Server version 1.94 **Description** A vulnerability was found in the Request Handler component of Ritlabs TinyWeb Server. The manipulation with the input `%0D%0A` leads to CRLF injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Ritlabs TinyWeb Server version 1.94, as a temporary workaround, consider restricting access to the Request Handler component until a patch is available. Avoid using the input `%0D%0A` in requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.