Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2019-10092-Limited Cross-Site Scripting in mod_proxy Error Page-Apache httpd/
Disclosures/CVE-2019-10092-Limited Cross-Site Scripting in mod_proxy Error Page-Apache httpd/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-10092: Limited Cross-Site Scripting in mod_proxy Error Page

A limited cross-site scripting issue was found in the mod_proxy error page.
An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice.
This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Affected Versions 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

Requirements:

For successful exploitation of the vulnerability, the attacker will require:

  • A way to reach the "Proxy Error" page (Ex: expired/untrusted certificate, malformed/invalid http header, etc.)
  • User interaction

Proof Of Concept:

For the following example, the Apache Server was purposefully misconfigured as to result in a "Proxy Error" page.
The vulnerability occurs when parsing the path in the URL and using it to generate a HTML "<a>" tag. By leveraging URL Encoding of the backslash ("\") character ("%5c"), the attacker can make the "<a>" tag to point to any site and launch further attacks from there.

127.0.0.1:5555/%5cmal.hexor/evil.html

Note: "mal.hexor" is a placeholder for any site/ip that the attacker may control

Result:

Apache Configuration File:

Listen 5555
<VirtualHost *:5555>
  ProxyRequests Off

  #SSL
  SSLProxyEngine On

  ProxyPass / https://127.0.0.1:443/
  ProxyPassReverse / https://127.0.0.1:443/
</VirtualHost>