Cross-site scripting in web interface

[GoogleCodeExporter]

Steps to reproduce the problem:

1. Clean your exceptions list
2. Enable learning mode
2. Launch rules generator using command like the following one:
python2.7 naxsi-0.46-1/contrib/rules_generator/http_config.py
3. Go to a protected domain by the following url:
http://{$your_domain}:{$nginx_port}/<script>alert(0)</script>
4. In your browser on the server go to http://localhost:4242/ 

Injected script is executed in your browser 4 times, 1 time for each of special 
characters '<', '>', '(', ')'.

Version 0.46-1 on CentOS-5.7 (x86)

Original issue reported on code.google.com by anaumc...@gmail.com on 24 Jul 2012 at 1:23

[GoogleCodeExporter]

Hi,

http_config is deprecated since 0.44, is no longer present in the releases and 
has never been packaged.
This vulnerability is also not critical, so this issue won't be fixed. 

Original comment by sephirot...@gmail.com on 24 Jul 2012 at 10:12

• Changed state: WontFix