关联漏洞
标题:
Apache HTTP Server 跨站脚本漏洞
(CVE-2019-10092)
描述:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache httpd中的mod_proxy错误页面存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。以下产品及版本受到影响:Apache httpd 2.4.39版本,2.4.38版本,2.4.37版本,2.4.35版本,2.4.34版本,2.4.33版本,2.4.30版本,2.4.29版本,2.4.2
描述
CVE-2019-10092: Limited Cross-Site Scripting in "Proxy Error" Page
介绍
# CVE-2019-10092: Limited Cross-Site Scripting via "Proxy Error" Page in Apache HTTP Server
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://httpd.apache.org/security/vulnerabilities_24.html).
### Requirements:
This vulnerability requires:
<br/>
- A way to reach the "Proxy Error" page
- User interaction
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2019-10092/blob/main/Apache%20Httpd%20-%20CVE-2019-10092.pdf).
### Additional Resources:
Alternative method for exploiting CVE-2019-10092 presented by Sebastian Neef in this [blog post](https://0day.work/proof-of-concept-for-apache-httpd-limited-cross-site-scripting-in-mod_proxy-error-page-cve-2019-10092/)
文件快照
[4.0K] /data/pocs/35d87bfe20f8cf17acd9adaf711afc8fcc2e7aad
├── [777K] Apache Httpd - CVE-2019-10092.pdf
└── [1.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。