CVE-2019-10098 Exploitation Attempt

Aug 21, 2020 ·

Detects open redirect vulnerability in mod_rewrite configuration.

Sigma rule (View on GitHub)

 1title: CVE-2019-10098 Exploitation Attempt
 2id: 326da16d-5f47-4895-bb0f-2a15dfb87c81
 3status: experimental
 4description: Detects open redirect vulnerability in mod_rewrite configuration. 
 5references:
 6  - https://0day.work/open-redirects-in-improperly-configured-mod_rewrite-rules-poc-for-cve-2019-10098/
 7author: Loginsoft Research Unit 
 8date: 2020/06/17
 9logsource:
10 product: apache
11 category: webserver
12detection:
13  selection:
14    sc-status: 302
15    c-uri|contains: 
16      - '/%0A'
17      - '/%0a'
18  condition: selection
19level: medium```

References

Open Redirects In Improperly Configured mod_rewrite Rules (PoC for CVE-2019-10098?)

I recently came across the following Apache vulnerability [https://httpd.apache.org/security/vulnerabilities_24.html]: "mod_rewrite potential open redirect (CVE-2019-10098)", but I couldn't find a proof of concept, so I started playing around with possible open redirects in mod_proxy that are caused by improperly configured rewrite rules.

Read More

CVE-2019-10098 Exploitation Attempt

Sigma rule (View on GitHub)

References

Open Redirects In Improperly Configured mod_rewrite Rules (PoC for CVE-2019-10098?)