Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mbadanoiu/cve-2019-10092

CVE-2019-10092: Limited Cross-Site Scripting via "Proxy Error" Page in Apache HTTP Server
https://github.com/mbadanoiu/cve-2019-10092

0-day cve cve-2019-10092 cves open-redirect user-interaction

Last synced: 2 days ago
JSON representation

CVE-2019-10092: Limited Cross-Site Scripting via "Proxy Error" Page in Apache HTTP Server

Awesome Lists containing this project

README 

        
# CVE-2019-10092: Limited Cross-Site Scripting via "Proxy Error" Page in Apache HTTP Server



In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.



### Vendor Disclosure:



The vendor's disclosure and fix for this vulnerability can be found [here](https://httpd.apache.org/security/vulnerabilities_24.html).



### Requirements:



This vulnerability requires:




- A way to reach the "Proxy Error" page

- User interaction



### Proof Of Concept:



More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2019-10092/blob/main/Apache%20Httpd%20-%20CVE-2019-10092.pdf).



### Additional Resources:



Alternative method for exploiting CVE-2019-10092 presented by Sebastian Neef in this [blog post](https://0day.work/proof-of-concept-for-apache-httpd-limited-cross-site-scripting-in-mod_proxy-error-page-cve-2019-10092/)