Security

splunk + phpgroupware

dfused2
Engager

In running vulnerability scans, I'm getting that the server has phpgroupware installed, but it seems to be getting confused with splunk.

However, if I telnet to the machine on port 8000 and then issue

GET /phpgroupware/login.php HTTP/1.0 

followed by a blank line (enter), I end up with a 302 redirect to http://0.0.0.0/en-US/phpgroupware/login.php.

Why is this, and why would it not just not find the path and give me a 404?

Is there something in Splunk that actually has phpgroupware in it?

Tags (3)

araitz
Splunk Employee
Splunk Employee

Please accept the answer if you are satisfied.

0 Karma

araitz
Splunk Employee
Splunk Employee

Splunk does not use PHP or PHPGroupware. This is a very common 'file include' false positive that we see with many vulnerability scanners.

If you look in $SPLUNK_HOME/var/log/splunk/web_access.log, you will see a 404 followed by a 302.

The 302 is returned by Splunk Web because you specified HTTP 1.0 and you specified no host header.

Thus, Splunk Web is trying to get you to go to http://:/en-US/ - you can verify via the response body.

Try requesting via HTTP/1.1 or by including a host header, to verify the results (or just use a modern browser).

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...