CVE-2019-10092: Limited Cross-Site Scripting in mod_proxy Error Page
A limited cross-site scripting issue was found in the mod_proxy error page.
An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice.
This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
| Affected Versions | 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 |
|---|
Requirements:
For successful exploitation of the vulnerability, the attacker will require:
- A way to reach the "Proxy Error" page (Ex: expired/untrusted certificate, malformed/invalid http header, etc.)
- User interaction
Proof Of Concept:
For the following example, the Apache Server was purposefully misconfigured as to result in a "Proxy Error" page.
The vulnerability occurs when parsing the path in the URL and using it to generate a HTML "<a>" tag. By leveraging URL Encoding of the backslash ("\") character ("%5c"), the attacker can make the "<a>" tag to point to any site and launch further attacks from there.
127.0.0.1:5555/%5cmal.hexor/evil.html
Note: "mal.hexor" is a placeholder for any site/ip that the attacker may control
Result:
Apache Configuration File:
Listen 5555
<VirtualHost *:5555>
ProxyRequests Off
#SSL
SSLProxyEngine On
ProxyPass / https://127.0.0.1:443/
ProxyPassReverse / https://127.0.0.1:443/
</VirtualHost>
