CVE-2020-1927 Exploitation Attempt

Aug 21, 2020 ·

Detecting the open redirect vulnerability in mod_rewrite configuration

Sigma rule (View on GitHub)

 1title: CVE-2020-1927 Exploitation Attempt
 2id: 002b58d3-34c1-4a40-9277-97a3a414d287
 3status: experimental
 4description: Detecting the open redirect vulnerability in mod_rewrite configuration
 5references:
 6  - https://0day.work/open-redirects-in-improperly-configured-mod_rewrite-rules-poc-for-cve-2019-10098/
 7author: Loginsoft Research Unit 
 8date: 2020/06/17
 9logsource:
10 product: apache
11 category: webserver
12detection:
13  selection:
14    c-uri|contains: 
15      - '/%0A'
16      - '/%0a'
17    sc-status:
18      - 302
19      - 404
20  condition: selection
21level: low```

References

Open Redirects In Improperly Configured mod_rewrite Rules (PoC for CVE-2019-10098?)

I recently came across the following Apache vulnerability [https://httpd.apache.org/security/vulnerabilities_24.html]: "mod_rewrite potential open redirect (CVE-2019-10098)", but I couldn't find a proof of concept, so I started playing around with possible open redirects in mod_proxy that are caused by improperly configured rewrite rules.

Read More

CVE-2020-1927 Exploitation Attempt

Sigma rule (View on GitHub)

References

Open Redirects In Improperly Configured mod_rewrite Rules (PoC for CVE-2019-10098?)