Reflected XSS in Splunk Web Affecting Version 4.0 to 4.3
A vulnerability has be found in Splunk 4.0 - 4.3 that allows partial confidentiality and integrity violation, when a user click on a specifically crafted link that can disclose sensitive information to the attacker. Splunk recommend consumers upgrade to version 4.3.1 and to follow its hardening standard [3] to mitigate the risk of exploitation.
[1] http://www.splunk.com/view/SP-CAAAGTK
[2] http://www.splunk.com/download
[3] http://docs.splunk.com/Documentation/Splunk/latest/Admin/Hardeningstandards
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
What happened to RFI attacks?
Recently, I noticed a remarkable decrease in remote file inclusion attacks against my web servers. Usually, I easily detected 100+ attacks per day using a simple regular expression match. These days, I see maybe a dozen (and they are usually only 2-3 distinct "attacks" meaning different exploits or different attackers.
The number of vulnerabilities exploited also decreased a lot, with many of the older vulnerabilities being no longer probed.
Have all vulnerable systems been exploited or cleaned up? These attacks where never very effective, and a lot of exploits used would not have been successful even against vulnerable systems. In addition, the attacks where usually launched blindly without recognizance, leading to a lot of hits to non existent pages.
For the few attacks still out there, the pattern doesn't have changed much. I checked out a couple of the payloads and they are either simple indicators or PHP IRC bots.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments