Bug 58226

Summary: XSS in Error Page
Product: Apache httpd-2 Reporter: greyhat
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED WONTFIX    
Severity: major    
Priority: P2    
Version: 2.4.25   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: Hove over the link and see the payload

Description greyhat 2015-08-08 06:18:55 UTC 
Created attachment 32983 [details]
Hove over the link and see the payload

Setup Details : Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.6.11

Request to server:

GET /not_existing_link HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: javascript:alert(1)//452bce05
Cookie: _ga=GA1.1.1225409471.1439004440; _gat=1
Connection: keep-alive

When we send the above request to the server, the script in the referer header (Referer: javascript:alert(1)//452bce05) gets embedded in the error page.

This gets executed when the user clicks on the link.(Image attached)

The same can be used for SELF XSS.

Recommendation: Convert respective characters from the referer header into their HTML entities.
Comment 1 ildar.aim 2017-06-14 16:28:25 UTC 
I have the same issue for 

aim-server[~/tmp/deti_dohtur]$ httpd -M  
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 authz_core_module (shared)
 access_compat_module (shared)
 socache_shmcb_module (shared)
 include_module (shared)
 mime_module (shared)
 log_config_module (shared)
 env_module (shared)
 headers_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 mpm_event_module (shared)
 unixd_module (shared)
 autoindex_module (shared)
 suexec_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 userdir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 fastcgi_module (shared)
aim-server[~/tmp/deti_dohtur]$ httpd -V
Server version: Apache/2.4.25 (Unix)
Server built:   May 21 2017 22:05:06
Server's Module Magic Number: 20120211:67
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/bin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
aim-server[~/tmp/deti_dohtur]$ httpd -l
Compiled in modules:
  core.c
  mod_so.c
  http_core.c
aim-server[~/tmp/deti_dohtur]$ uname -a
Linux aim-server.crtdev.local 4.11.3-1-ARCH #1 SMP PREEMPT Sun May 28 10:40:17 CEST 2017 x86_64 GNU/Linux
aim-server[~/tmp/deti_dohtur]$
Comment 2 ildar.aim 2017-06-14 16:33:33 UTC 
It seems you have to change the templates likes 
/usr/share/httpd/error/HTTP_NOT_FOUND.html.var
sanitize the HTTP_REFERER variable
Comment 3 Mark Cox 2019-06-17 10:00:21 UTC 
We do not treat this as a security issue.  Due to it requiring a malicious referer header it is not possible to leverage this issue in any form of practical XSS attack