Allele Security Alert
ASA-2019-00512
Identifier(s)
ASA-2019-00512, CVE-2019-10092
Title
Limited Cross-Site Scripting (XSS) in mod_proxy error page
Vendor(s)
The Apache Software Foundation
Product(s)
Apache HTTP Server
Affected version(s)
Apache HTTP Server versions 2.4.0 to 2.4.39
Fixed version(s)
Apache HTTP Server version 2.4.41
Proof of concept
Unknown
Description
A limited Cross-Site Scripting (XSS) issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Technical details
Unknown
Credits
Matei “Mal” Badanoiu
Reference(s)
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html
[Apache-SVN] Revision 1864787
https://svn.apache.org/viewvc?view=revision&revision=1864787
CVE-2019-10092: Limited cross-site scripting in mod_proxy
https://seclists.org/oss-sec/2019/q3/139
Apache HTTP Server 2.4.41 Released
https://www.apache.org/dist/httpd/Announcement2.4.html
CVE-2019-10092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
CVE-2019-10092
https://nvd.nist.gov/vuln/detail/CVE-2019-10092
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 14, 2019