@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
=@@@@
@@@@
@@@@
@@@@ @@@@
@@@@ @@@@@
@@@@@ @@@@@
@@@@@ @@@@@
:@@@@ *@@@@
@@@@ :@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@= @@@@
@`
[deroad's blog]
[home]
# 2020-09-24 | Naxsi 1.1 and 1.1a security update
{
Well after almost 2 years i decided to take under my arm naxsi and give it a bit of love.
Before everything, a big thank you to 0xflotus marcinguy and squedgy for their PRs.
I have re-formatted the code and added some checks where needed.
The repository have received multiple PRs that needed/wanted to add some cool new features.
I fixed several issues related to memory leaks, wrong encoding, etc.., i also have updated
the version of libinjection to 3.9.2 (commit: 991433e7).
I have also released the deb packages of the following distros:
- debian: bullseye, buster, sid, stretch
- ubuntu: bionic, focal
You can use these packages in a configuration that can look like this:
http {
access_log /tmp/logs_access.log;
error_log /tmp/logs_error.log;
default_type text/plain;
keepalive_timeout 68;
include /usr/share/naxsi/naxsi_core.rules;
server {
listen 1984;
server_name 'localhost';
client_max_body_size 30M;
location / {
include /usr/share/naxsi/naxsi_learning_mode.conf;
include /usr/share/naxsi/rules/wordpress.rules;
root /var/www/html/;
index index.html index.htm;
}
include /usr/share/naxsi/naxsi_denied_url.conf;
}
}
One last point regarding version 1.1a (security update).
I have patched some security vulnerabilities reported by Synacktiv which impacts Naxsi.
These vulnerabilities are quite simple to exploit and can impact the security of the web application
that you might want to secure via Naxsi.
You can find below a link to the full report that explains all the vulnerabilities and how to exploit them.
}
# References:
NBS-System Naxsi - version 1.1a (security update)
https://github.com/nbs-system/naxsi/releases/tag/1.1a
https://www.synacktiv.com/publications/bypassing-naxsi-filtering-engine.html
NBS-System Naxsi - version 1.1 (ignore this version)
https://github.com/nbs-system/naxsi/releases/tag/1.1