Skip to content

Latest commit

 

History

History

CVE-2019-10092-Limited Cross-Site Scripting in mod_proxy Error Page-Apache httpd

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

CVE-2019-10092: Limited Cross-Site Scripting in mod_proxy Error Page

A limited cross-site scripting issue was found in the mod_proxy error page.
An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice.
This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Affected Versions 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

Requirements:

For successful exploitation of the vulnerability, the attacker will require:

  • A way to reach the "Proxy Error" page (Ex: expired/untrusted certificate, malformed/invalid http header, etc.)
  • User interaction

Proof Of Concept:

For the following example, the Apache Server was purposefully misconfigured as to result in a "Proxy Error" page.
The vulnerability occurs when parsing the path in the URL and using it to generate a HTML "<a>" tag. By leveraging URL Encoding of the backslash ("\") character ("%5c"), the attacker can make the "<a>" tag to point to any site and launch further attacks from there.

127.0.0.1:5555/%5cmal.hexor/evil.html

Note: "mal.hexor" is a placeholder for any site/ip that the attacker may control

Result:

Apache Configuration File:

Listen 5555
<VirtualHost *:5555>
  ProxyRequests Off

  #SSL
  SSLProxyEngine On

  ProxyPass / https://127.0.0.1:443/
  ProxyPassReverse / https://127.0.0.1:443/
</VirtualHost>