splunk + phpgroupware

dfused2 · ‎07-15-2011

In running vulnerability scans, I'm getting that the server has phpgroupware installed, but it seems to be getting confused with splunk.

However, if I telnet to the machine on port 8000 and then issue

GET /phpgroupware/login.php HTTP/1.0

followed by a blank line (enter), I end up with a 302 redirect to http://0.0.0.0/en-US/phpgroupware/login.php.

Why is this, and why would it not just not find the path and give me a 404?

Is there something in Splunk that actually has phpgroupware in it?

araitz · ‎07-19-2011

Please accept the answer if you are satisfied.

araitz · ‎07-18-2011

Splunk does not use PHP or PHPGroupware. This is a very common 'file include' false positive that we see with many vulnerability scanners.

If you look in $SPLUNK_HOME/var/log/splunk/web_access.log, you will see a 404 followed by a 302.

The 302 is returned by Splunk Web because you specified HTTP 1.0 and you specified no host header.

Thus, Splunk Web is trying to get you to go to http://:/en-US/ - you can verify via the response body.

Try requesting via HTTP/1.1 or by including a host header, to verify the results (or just use a modern browser).