This article is more than 1 year old

That sound you hear is Splunk leaking data

Visit a malicious web page and JavaScript extracts user names

Splunk has patched a slip in its JavaScript implementation that leaks user information.

The advisory at Full Disclosure explains that the leak happens if an attacker tricks an authenticated user into visiting a malicious Web page.

It only leaks the username, and whether or not that user has enabled remote access; but this would provide enough for an attacker to try follow-up phishing attacks to try and get the user's credentials.

The bug, the advisory says, is how Splunk used Object prototypes in JavaScript.

Here's the proof-of-concept JavaScript from the advisory:

<script>
Object.defineProperty( Object.prototype, "$C", { set:function(val){
   //prompt("Splunk Timed out:\nPlease Login to Splunk\nUsername:
"+val.USERNAME, "Password")
for(var i in val){
 alert(""+i+" "+val[i]);
  }
 }
});
</script>

<script src="https://VICTIM-IP:8000/en-US/config?autoload=1" type="text/javascript">
</script>

The issue affects Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.13.1, 6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light before 6.5.2, and the company has issued patches for all versions. ®

More about

TIP US OFF

Send us news


Other stories you might like