-
Notifications
You must be signed in to change notification settings - Fork 605
olds Security Advisories
Because nobody's perfect and coding while drunk is dangerous !
As stated on the project's homepage, you can send me an email directly. Or, you can use the issues
- Rated : Medium-Low
- Date : 26 March 2013
- Affected : All
- Fixed in : 0.50-1 r565 (on Google code)
- Discovered by : Safe3
- References : http://seclists.org/bugtraq/2013/Mar/133
Naxsi does not suppress/decode incorrectly url-encoded characters. On the other hand, IIS/ASP will treat "s%e%l%e%c%t" as "select", while naxsi will still see it as "s%e%l%e%c%t", thus rendering SQL keywords rule ineffective. Only the SQL-keywords rule is affected, thus the exploitation window is limited to quote-less, two-fields (max) SQL injections.
- Rated: Medium
- Date 18 May 2012
- Affected: 0.46
- Fixed in: 0.46-1
- Discovered by : Naxsi dev team
- References: oss-security Secunia Securelist
Local includes in nx_extract are not properly filtered, allowing a remote attacker to disclose files local to nx_extract. More details https://code.google.com/p/naxsi/source/detail?r=307
- Rated: Low
- Date: 2 Apr 2012
- Affected: 0.44
- Fixed in: 0.44-1
- Discovered by : Naxsi dev team
Ironically, an SQL Injection is present in naxsi's new python learning daemon (nx_intercept.py). The vulnerability is rated as low, as:
- Learning daemon is usually restricted to trusted IPs
- No sensitive data are present into database, as it is only used to store exceptions. The vulnerabilty only affects the nx_intercept python daemon, not the naxsi's core. Vulnerable code is:
if md5 is not None and ip is not None:
cursor.execute("INSERT INTO http_monitor (peer_ip, md5) VALUES ('%s', '%s')" % (ip, md5))
return