CVE-2019-10092: Limited Cross-Site Scripting in "Proxy Error" Page# CVE-2019-10092: Limited Cross-Site Scripting via "Proxy Error" Page in Apache HTTP Server
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://httpd.apache.org/security/vulnerabilities_24.html).
### Requirements:
This vulnerability requires:
<br/>
- A way to reach the "Proxy Error" page
- User interaction
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2019-10092/blob/main/Apache%20Httpd%20-%20CVE-2019-10092.pdf).
### Additional Resources:
Alternative method for exploiting CVE-2019-10092 presented by Sebastian Neef in this [blog post](https://0day.work/proof-of-concept-for-apache-httpd-limited-cross-site-scripting-in-mod_proxy-error-page-cve-2019-10092/)
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view