TinyWeb: HTTP Header Control Character Injection into CGI Environment

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

N/A

流程控制

TinyWeb 安全漏洞

TinyWeb是Konstantin Belyalov个人开发者的一个简单且轻量级 HTTP 服务器。 TinyWeb 2.04之前版本存在安全漏洞，该漏洞源于解析器未严格拒绝标头行和标头值中的危险控制字符，可能导致标头值混淆并在CGI执行环境中创建不安全数据。

N/A

N/A