dahebolangkuan / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 2 forks source link

Cross-site scripting in web interface #43

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Steps to reproduce the problem:

1. Clean your exceptions list
2. Enable learning mode
2. Launch rules generator using command like the following one:
python2.7 naxsi-0.46-1/contrib/rules_generator/http_config.py
3. Go to a protected domain by the following url:
http://{$your_domain}:{$nginx_port}/<script>alert(0)</script>
4. In your browser on the server go to http://localhost:4242/ 

Injected script is executed in your browser 4 times, 1 time for each of special 
characters '<', '>', '(', ')'.

Version 0.46-1 on CentOS-5.7 (x86)

Original issue reported on code.google.com by anaumc...@gmail.com on 24 Jul 2012 at 1:23

GoogleCodeExporter commented 9 years ago
Hi,

http_config is deprecated since 0.44, is no longer present in the releases and 
has never been packaged.
This vulnerability is also not critical, so this issue won't be fixed. 

Original comment by sephirot...@gmail.com on 24 Jul 2012 at 10:12