Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reflected XSS in Splunk Web Affecting Version 4.0 to 4.3

Published: 2012-03-07
Last Updated: 2012-03-07 23:44:56 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

A vulnerability has be found in Splunk 4.0 - 4.3 that allows partial confidentiality and integrity violation, when a user click on a specifically crafted link that can disclose sensitive information to the attacker. Splunk recommend consumers upgrade to version 4.3.1 and to follow its hardening standard [3] to mitigate the risk of exploitation.

[1] http://www.splunk.com/view/SP-CAAAGTK
[2] http://www.splunk.com/download
[3] http://docs.splunk.com/Documentation/Splunk/latest/Admin/Hardeningstandards

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: Splunk XSS
0 comment(s)

What happened to RFI attacks?

Published: 2012-03-07
Last Updated: 2012-03-07 07:46:18 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Recently, I noticed a remarkable decrease in remote file inclusion attacks against my web servers. Usually, I easily detected 100+ attacks per day using a simple regular expression match. These days, I see maybe a dozen (and they are usually only 2-3 distinct "attacks" meaning different exploits or different attackers.

The number of vulnerabilities exploited also decreased a lot, with many of the older vulnerabilities being no longer probed. 

Have all vulnerable systems been exploited or cleaned up? These attacks where never very effective, and a lot of exploits used would not have been successful even against vulnerable systems. In addition, the attacks where usually launched blindly without recognizance, leading to a lot of hits to non existent pages.

For the few attacks still out there, the pattern doesn't have changed much. I checked out a couple of the payloads and they are either simple indicators or PHP IRC bots.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: php rfi
2 comment(s)
Diary Archives