TinyWeb Path Traversal / Source Code Disclosure (CVE-2004-2636)
Security Advisory. Published: 2004-05-27. Fixed in TinyWeb v1.93 (June 3, 2004).
Summary
TinyWeb HTTP Server version 1.9 is vulnerable to path traversal via /./ sequences in URLs. An
unauthenticated remote attacker can bypass the CGI handler and read the source code of interpreted scripts or
download compiled CGI binaries instead of executing them.
Severity: Medium (CVSS 3.1 Base Score: 5.0 / CVSS 2.0 Base Score: 5.0)
Vulnerability Details
| CVE ID | CVE-2004-2636 |
|---|---|
| GHSA ID | GHSA-7mcr-wpqh-pp73 |
| Vulnerability Type | Path Traversal / Source Code Disclosure (CWE-22) |
| Attack Type | Remote |
| Attack Vector | Network (unauthenticated HTTP request) |
| Original Vendor | RITLABS S.R.L. |
| Current Maintainer | Maxim Masiutin |
| Product | TinyWeb HTTP Server |
| Affected Versions | 1.9 and below |
| Fixed Version | 1.93 (June 3, 2004) |
| Affected Component | HTTP request path handling in WebServerHttpResponse() |
| Impact | Source Code Disclosure, Information Disclosure |
CVSS Scores
| CVSS Version | Score | Severity | Vector String |
|---|---|---|---|
| CVSS 3.1 | 5.3 | Medium | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVSS 2.0 | 5.0 | Medium | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| EPSS | 4.147% | 88th percentile | Probability of exploitation in the wild within 30 days |
Background
TinyWeb HTTP Server was developed by RITLABS S.R.L. (Moldova) in 1997 as a minimal Windows HTTP server. It runs as a silent background process with no GUI, no console, and no Windows Service. The server is written in Object Pascal and compiles to a single ~60KB executable.
When TinyWeb receives a request for a file under /cgi-bin/, it executes the file as a CGI script
and returns its output. The /./ path traversal technique exploits how Windows normalizes
filesystem paths: C:\www\cgi-bin\.\script.exe resolves to the same file as
C:\www\cgi-bin\script.exe, but TinyWeb's URL prefix check did not account for the
/./ sequence. The path no longer matched the cgi-bin/ prefix after normalization, so
the server served the file as static content, exposing its raw source code.
This vulnerability was disclosed in May 2004. RITLABS (Maxim Masiutin) released TinyWeb v1.93 on June 3, 2004 with the fix. The CVE was assigned retroactively as CVE-2004-2636 by MITRE.
Technical Details
Root Cause
TinyWeb determines whether to execute a CGI script by checking if the decoded URL path starts with
/cgi-bin/. A /./ sequence in the path bypasses this prefix check while still
resolving to the same file on disk, because Windows ExpandFileName() normalizes \.\
away. The result: the CGI file is opened and served as a static download instead of being executed.
Attack Vector
GET /cgi-bin/./script.pl HTTP/1.1 Host: target.example.com
The path /cgi-bin/./script.pl does not match the cgi-bin/ prefix in TinyWeb's check
(the /./ disrupts the match), but on disk it resolves to the same location as
/cgi-bin/script.pl. TinyWeb returns the raw source code of script.pl instead of
executing it.
Impact
- Source Code Disclosure: Interpreted CGI scripts (Perl, Python, batch files) returned as plaintext
- Binary Download: Compiled CGI executables (.exe, .dll) served as file downloads, enabling reverse engineering of proprietary server-side logic
- Credential Exposure: Hardcoded database passwords, API keys, or other secrets in scripts become readable
- Attack Surface Expansion: Exposed source code and binaries enable targeted exploitation of application-level bugs
Fix Applied in Version 1.93
TinyWeb v1.93 (June 3, 2004) added two layers of path traversal protection in the
WebServerHttpResponse() function in SrvMain.pas. Note: The fix predates the Git
repository (initial commit is v1.94).
Level 1: Pattern Rejection
After converting forward slashes to backslashes, the path is checked for dangerous patterns. Requests containing any of these are rejected with HTTP 403:
..-- directory traversal\.\-- dot-enclosed path component (the CVE-2004-2636 attack vector)\\-- UNC path or double backslash#0-- null byte (also fixes CVE-2003-1510):-- alternate data streams or drive letters
CDoubleDot := '..'; CDoubleBackslash := '\\'; CDotEncosed := '\.\'; if (Pos(CZero, s) > 0) or (Pos(CDoubleDot, s) > 0) or (Pos(CSemicolon, s) > 0) or (Pos(CDotEncosed, s) > 0) or (Pos(CDoubleBackslash, s) > 0) then begin Result := THttpResponseErrorCode.Create(403); Exit; end;
Level 2: ExpandFileName Verification
After calling ExpandFileName() to resolve the absolute path, TinyWeb verifies that the result
still ends with the original path. If ExpandFileName() normalized away any traversal sequences
(e.g., \.\ or \..\), the suffix will not match, and the request is rejected with
403:
LocalFName := ExpandFileName(ParamStr1 + s); if not StrEnds(LocalFName, s) then begin Result := THttpResponseErrorCode.Create(403); Exit; end;
Level 3: LocalFNameSafe
LocalFNameSafe() walks each component of the resolved path, verifying via
FileIsRegular() that no component is a Windows reserved device name (CON, PRN, AUX, NUL, COM0-9,
LPT0-9, CONIN$, CONOUT$, CLOCK$) and that every directory in the chain actually exists as a regular directory
(not hidden, not system).
Workarounds
- Place TinyWeb behind a reverse proxy (nginx, Apache, IIS ARR) that normalizes paths before forwarding.
Most reverse proxies resolve
/./sequences by default. - WAF rule to block requests containing
/./or/../in URL paths. - No TinyWeb configuration option exists to mitigate without upgrading.
Timeline
| 2004-05-27 | Vulnerability disclosed (BID 10445, OSVDB 6517, Secunia SA11731) |
|---|---|
| 2004-06-01 | Exploit published by Ziv Kamir (Exploit-DB #24164) |
| 2004-06-03 | TinyWeb v1.93 released by RITLABS (Maxim Masiutin) with fix |
| 2004-12-31 | CVE-2004-2636 assigned by MITRE |
References
Credit
Vulnerability Discovery: Ziv Kamir (June 1, 2004). Published as Exploit-DB #24164.
Fix Implementation: RITLABS S.R.L. (Maxim Masiutin). TinyWeb v1.93 released June 3, 2004.
Other TinyWeb CVEs
| CVE-2024-5193 | CRLF Injection (CWE-93) - Fixed in v1.99. HTTP header injection via %0D%0A. CVSS 5.0 Medium. Advisory |
|---|---|
| CVE-2024-34199 | Buffer Overflow (CWE-787) - Fixed in v1.99. Unbounded heap growth causes DoS. CVSS 8.6 High. Advisory |
| CVE-2026-22781 | Command Injection (CWE-78) - Fixed in v1.98. CGI query parameter injection. CVSS 9.8 Critical. Advisory |
| CVE-2003-1510 | Denial of Service (CWE-400) - Fixed in v1.93. CVSS 7.8 High. Advisory |