Security

splunk + phpgroupware

dfused2
Engager

In running vulnerability scans, I'm getting that the server has phpgroupware installed, but it seems to be getting confused with splunk.

However, if I telnet to the machine on port 8000 and then issue

GET /phpgroupware/login.php HTTP/1.0 

followed by a blank line (enter), I end up with a 302 redirect to http://0.0.0.0/en-US/phpgroupware/login.php.

Why is this, and why would it not just not find the path and give me a 404?

Is there something in Splunk that actually has phpgroupware in it?

Tags (3)

araitz
Splunk Employee
Splunk Employee

Please accept the answer if you are satisfied.

0 Karma

araitz
Splunk Employee
Splunk Employee

Splunk does not use PHP or PHPGroupware. This is a very common 'file include' false positive that we see with many vulnerability scanners.

If you look in $SPLUNK_HOME/var/log/splunk/web_access.log, you will see a 404 followed by a 302.

The 302 is returned by Splunk Web because you specified HTTP 1.0 and you specified no host header.

Thus, Splunk Web is trying to get you to go to http://:/en-US/ - you can verify via the response body.

Try requesting via HTTP/1.1 or by including a host header, to verify the results (or just use a modern browser).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...