search

kofa2002 / splunk

splunk enterprise information disclosure
0 stars 1 forks source link

Splunk has published review #1

Open maljb opened 6 years ago

maljb commented 6 years ago

hi, @kofa2002! thanks to your great job.

here is something news about this vulnerability that splunk announced review about cve-2018-11409 at 6/18. (https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings) They said only exposes information before Splunk Enterprise 6.6.0 and i have tested also this issue but exposed information only after logged in on 7.0.0

So, i think you need down to 6.6.0 from 7.0.1 for affected version and include Splunk's accouncement.

kofa2002 commented 6 years ago

@maljb hi maljib thank you for your information .

this vulnerability tested on splunk 7.0.1 and before as i mentioned in my Poc and its working without authentication

maljb commented 6 years ago

@kofa2002 thank you for your reply.

I tested new scenarios after reading your reply.

1) clean install 7.0.1

2) clean install 6.5.9 and upgrade to 7.0.1

3) clean install 6.5.9 and copy restmap.conf to etc/system/local from etc/system/default and upgrade to 7.0.1

So, i think can be accepted this vulnerability if using the misconfigured default "restmap.conf" provided by 6.5.9. Are you tested clean install 7.0.1?

kofa2002 commented 6 years ago

Hi . Thank you for your replay and testing today ill conduct a test then ill get touch with you again

On Tue, Jun 19, 2018, 11:11 AM maljb notifications@github.com wrote:

@kofa2002 https://github.com/kofa2002 thank you for your reply.

I tested new scenarios after reading your reply.

  1. clean install 7.0.1

    • not vulnerable

  2. clean install 6.5.9 and upgrade to 7.0.1

    • not vulnerable

  3. clean install 6.5.9 and copy restmap.conf to etc/system/local from etc/system/default and upgrade to 7.0.1

    • vulnerable

So, i think can be accepted this vulnerability if using misconfigured default restmap.conf on 6.5.9. Are you tested clean install 7.0.1?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kofa2002/splunk/issues/1#issuecomment-398348158, or mute the thread https://github.com/notifications/unsubscribe-auth/AHtFmr2tC_Aqk5DgvvyFx4WrQkRzrMy_ks5t-M5dgaJpZM4UsuUN .