Security

splunk + phpgroupware

dfused2
Engager

In running vulnerability scans, I'm getting that the server has phpgroupware installed, but it seems to be getting confused with splunk.

However, if I telnet to the machine on port 8000 and then issue

GET /phpgroupware/login.php HTTP/1.0 

followed by a blank line (enter), I end up with a 302 redirect to http://0.0.0.0/en-US/phpgroupware/login.php.

Why is this, and why would it not just not find the path and give me a 404?

Is there something in Splunk that actually has phpgroupware in it?

Tags (3)

araitz
Splunk Employee
Splunk Employee

Please accept the answer if you are satisfied.

0 Karma

araitz
Splunk Employee
Splunk Employee

Splunk does not use PHP or PHPGroupware. This is a very common 'file include' false positive that we see with many vulnerability scanners.

If you look in $SPLUNK_HOME/var/log/splunk/web_access.log, you will see a 404 followed by a 302.

The 302 is returned by Splunk Web because you specified HTTP 1.0 and you specified no host header.

Thus, Splunk Web is trying to get you to go to http://:/en-US/ - you can verify via the response body.

Try requesting via HTTP/1.1 or by including a host header, to verify the results (or just use a modern browser).

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...