ASA-2019-00513 – Apache HTTP Server: mod_rewrite potential open redirect

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00513

Identifier(s)

ASA-2019-00513, CVE-2019-10098

Title

mod_rewrite potential open redirect

Vendor(s)

The Apache Software Foundation

Product(s)

Apache HTTP Server

Affected version(s)

Apache HTTP Server versions 2.4.0 to 2.4.39

Fixed version(s)

Apache HTTP Server version 2.4.41

Proof of concept

Unknown

Description

Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

Technical details

Unknown

Credits

Yukitsugu Sasaki

Reference(s)

httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html

Apache HTTP Server 2.4.41 Released
https://www.apache.org/dist/httpd/Announcement2.4.html

CVE-2019-10098: mod_rewrite configurations vulnerable to open redirect
https://seclists.org/oss-sec/2019/q3/141

[Apache-SVN] Revision 1864192
https://svn.apache.org/viewvc?view=revision&revision=1864192

CVE-2019-10098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098

CVE-2019-10098
https://nvd.nist.gov/vuln/detail/CVE-2019-10098

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 21, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.