A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Created httpd tracking bugs for this issue:
Affects: fedora-all [bug 1743957]
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Web Server 3
* Red Hat JBoss Enterprise Web Server 2
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This flaw is only exploitable if mod_proxy is in use
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. The following command can be used to search for possible vulnerable configurations:
grep -R '^\s*Proxy' /etc/httpd/