Security

splunk + phpgroupware

dfused2
Engager

In running vulnerability scans, I'm getting that the server has phpgroupware installed, but it seems to be getting confused with splunk.

However, if I telnet to the machine on port 8000 and then issue

GET /phpgroupware/login.php HTTP/1.0 

followed by a blank line (enter), I end up with a 302 redirect to http://0.0.0.0/en-US/phpgroupware/login.php.

Why is this, and why would it not just not find the path and give me a 404?

Is there something in Splunk that actually has phpgroupware in it?

Tags (3)

araitz
Splunk Employee
Splunk Employee

Please accept the answer if you are satisfied.

0 Karma

araitz
Splunk Employee
Splunk Employee

Splunk does not use PHP or PHPGroupware. This is a very common 'file include' false positive that we see with many vulnerability scanners.

If you look in $SPLUNK_HOME/var/log/splunk/web_access.log, you will see a 404 followed by a 302.

The 302 is returned by Splunk Web because you specified HTTP 1.0 and you specified no host header.

Thus, Splunk Web is trying to get you to go to http://:/en-US/ - you can verify via the response body.

Try requesting via HTTP/1.1 or by including a host header, to verify the results (or just use a modern browser).

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...