In running vulnerability scans, I'm getting that the server has phpgroupware installed, but it seems to be getting confused with splunk.
However, if I telnet to the machine on port 8000 and then issue
GET /phpgroupware/login.php HTTP/1.0
followed by a blank line (enter), I end up with a 302 redirect to http://0.0.0.0/en-US/phpgroupware/login.php.
Why is this, and why would it not just not find the path and give me a 404?
Is there something in Splunk that actually has phpgroupware in it?
Please accept the answer if you are satisfied.
Splunk does not use PHP or PHPGroupware. This is a very common 'file include' false positive that we see with many vulnerability scanners.
If you look in $SPLUNK_HOME/var/log/splunk/web_access.log, you will see a 404 followed by a 302.
The 302 is returned by Splunk Web because you specified HTTP 1.0 and you specified no host header.
Thus, Splunk Web is trying to get you to go to http://
Try requesting via HTTP/1.1 or by including a host header, to verify the results (or just use a modern browser).