ASA-2019-00512 – Apache HTTP Server: Limited Cross-Site Scripting (XSS) in mod_proxy error page


Allele Security Alert

ASA-2019-00512

Identifier(s)

ASA-2019-00512, CVE-2019-10092

Title

Limited Cross-Site Scripting (XSS) in mod_proxy error page

Vendor(s)

The Apache Software Foundation

Product(s)

Apache HTTP Server

Affected version(s)

Apache HTTP Server versions 2.4.0 to 2.4.39

Fixed version(s)

Apache HTTP Server version 2.4.41

Proof of concept

Unknown

Description

A limited Cross-Site Scripting (XSS) issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Technical details

Unknown

Credits

Matei “Mal” Badanoiu

Reference(s)

httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html

[Apache-SVN] Revision 1864787
https://svn.apache.org/viewvc?view=revision&revision=1864787

CVE-2019-10092: Limited cross-site scripting in mod_proxy
https://seclists.org/oss-sec/2019/q3/139

Apache HTTP Server 2.4.41 Released
https://www.apache.org/dist/httpd/Announcement2.4.html

CVE-2019-10092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092

CVE-2019-10092
https://nvd.nist.gov/vuln/detail/CVE-2019-10092

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 14, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.