Allele Security Alert
Limited Cross-Site Scripting (XSS) in mod_proxy error page
The Apache Software Foundation
Apache HTTP Server
Apache HTTP Server versions 2.4.0 to 2.4.39
Apache HTTP Server version 2.4.41
Proof of concept
A limited Cross-Site Scripting (XSS) issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Matei “Mal” Badanoiu
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
[Apache-SVN] Revision 1864787
CVE-2019-10092: Limited cross-site scripting in mod_proxy
Apache HTTP Server 2.4.41 Released
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 14, 2019