<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: CERN HTTPD Access Control Bypass (Splunkd service) in Monitoring Splunk</title>
    <link>https://community.splunk.com/t5/Monitoring-Splunk/CERN-HTTPD-Access-Control-Bypass-Splunkd-service/m-p/182151#M1977</link>
    <description>&lt;P&gt;This has been reported to Splunk previously. The vulnerability associated with this finding is CVE-2008-0252.&lt;/P&gt;

&lt;P&gt;Splunk has tried to reproduce and found that directory traversal with "//" and "/./" is not possible with any CherryPy web server that ships with Splunk. As per the Mitre vulnerability:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; &lt;A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0252" target="test_blank"&gt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0252&lt;/A&gt;

       Directory traversal vulnerability in the _get_file_path function in 
    (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, 
    (2) filter/sessionfilter.py in CherryPy 2.1, and 
    (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In 5.0 and above, Splunk ships with CherryPy 3.1.2. If the version of Splunk you're running is close to current, this is almost certainly a false positive. You should proceed by reporting it as such to the vendor who reported the finding so they can tweak the vulnerability check. &lt;/P&gt;

&lt;P&gt;As an aside, any vulnerabilities discovered can be reported to Splunk via the security portal at this link:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&lt;A href="https://www.splunk.com/goto/report_vulnerabilities" target="test_blank"&gt;https://www.splunk.com/goto/report_vulnerabilities&lt;/A&gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Thu, 19 Dec 2013 17:46:04 GMT</pubDate>
    <dc:creator>jbsplunk</dc:creator>
    <dc:date>2013-12-19T17:46:04Z</dc:date>
    <item>
      <title>CERN HTTPD Access Control Bypass (Splunkd service)</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/CERN-HTTPD-Access-Control-Bypass-Splunkd-service/m-p/182150#M1976</link>
      <description>&lt;P&gt;Vulnerability scanning software returned the following result for a handful of systems in my environment:&lt;/P&gt;

&lt;P&gt;"There exists a vulnerability in the CERN web server running on this&lt;BR /&gt;
host that could allow an attacker to gain access to sensitive files on the&lt;BR /&gt;
system.&lt;BR /&gt;
Service: Splunkd&lt;BR /&gt;
CVSSv2: AV:N/AC:L/Au:P/C:N/I:N/A:N (Base Score:5.00)&lt;/P&gt;

&lt;P&gt;Remediation Action: Filter out input such as '//' and '/./' from page requests."&lt;/P&gt;

&lt;P&gt;Has anyone run across something similar? I'm assuming the service is needed for the Universal Forwarder, but not sure why only a few systems are reporting this vulnerability and not all. The hosts in question are running WIN2012.&lt;/P&gt;</description>
      <pubDate>Tue, 17 Dec 2013 22:12:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/CERN-HTTPD-Access-Control-Bypass-Splunkd-service/m-p/182150#M1976</guid>
      <dc:creator>rgilliam</dc:creator>
      <dc:date>2013-12-17T22:12:44Z</dc:date>
    </item>
    <item>
      <title>Re: CERN HTTPD Access Control Bypass (Splunkd service)</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/CERN-HTTPD-Access-Control-Bypass-Splunkd-service/m-p/182151#M1977</link>
      <description>&lt;P&gt;This has been reported to Splunk previously. The vulnerability associated with this finding is CVE-2008-0252.&lt;/P&gt;

&lt;P&gt;Splunk has tried to reproduce and found that directory traversal with "//" and "/./" is not possible with any CherryPy web server that ships with Splunk. As per the Mitre vulnerability:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; &lt;A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0252" target="test_blank"&gt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0252&lt;/A&gt;

       Directory traversal vulnerability in the _get_file_path function in 
    (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, 
    (2) filter/sessionfilter.py in CherryPy 2.1, and 
    (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In 5.0 and above, Splunk ships with CherryPy 3.1.2. If the version of Splunk you're running is close to current, this is almost certainly a false positive. You should proceed by reporting it as such to the vendor who reported the finding so they can tweak the vulnerability check. &lt;/P&gt;

&lt;P&gt;As an aside, any vulnerabilities discovered can be reported to Splunk via the security portal at this link:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&lt;A href="https://www.splunk.com/goto/report_vulnerabilities" target="test_blank"&gt;https://www.splunk.com/goto/report_vulnerabilities&lt;/A&gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 19 Dec 2013 17:46:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/CERN-HTTPD-Access-Control-Bypass-Splunkd-service/m-p/182151#M1977</guid>
      <dc:creator>jbsplunk</dc:creator>
      <dc:date>2013-12-19T17:46:04Z</dc:date>
    </item>
  </channel>
</rss>

