Apache Httpd mod_proxy – Error Page Cross-Site Scripting

  • 作者: Sebastian Neef
    日期: 2019-10-14
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/47688/
  • The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.
    
    As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is `http://domain.tld/%09//otherdomain.tld`
    
    Here's the httpd configuration to reproduce the behavior:
    
    ```
    <Location />
    ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
    ProxyPassReverse http://127.0.0.1:9000/ 
    Order allow,deny
    Allow from all
    </Location>
    ```