Bugtraq mailing list archives
Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
From: H D Moore <hdm () secureaustin com>
Date: Thu, 9 Aug 2001 23:13:08 -0500
This problem also affects Apache, Netscape Enterprise Server, and probably many others. Apache responds this way if the ServerName directive is not set (or is set to the internal IP) and the UseCanonicalName option is On (which is the default configuration).
From Apache 1.3.x httpd.conf:
# UseCanonicalName: (new for 1.3) With this setting turned on, whenever # Apache needs to construct a self-referencing URL (a URL that refers back # to the server the response is coming from) it will use ServerName and # Port to form a "canonical" name. With this setting off, Apache will # use the hostname:port that the client supplied, when possible. This # also affects SERVER_NAME and SERVER_PORT in CGI scripts. # UseCanonicalName Off If ServerName is not set, the system will redirect users to what it thinks its hostname is (hostname.local, host.internal.net, etc). The Fix is to either set CanonicalName to Off or set the ServerName variable to the external hostname. I don't have a local NES system to check, but this demonstrates this problem fairly effectively ;) telnet www.verXXXgn.com 80 Trying 216.1X8.XXX.XX... Connected to the.warmfuzzyofinternettrust.com. Escape character is '^]'. GET /images HTTP/1.0 HTTP/1.1 302 Moved Temporarily Server: Netscape-Enterprise/3.6 SP3 Date: Fri, 10 Aug 2001 07:10:32 GMT Location: http://172.16.128.117/images/ Content-length: 0 Content-type: text/html Connection: close Connection closed by foreign host. On Thu, 9 Aug 2001 13:22:39 -0700 "Marc Maiffret" <marc () eeye com> wrote:
this isnt just for HTTPS... this can occur on plain HTTP also depending on how someone has setup. If you have an IIS web server you should not use "all ip addresses" for a web and instead pick the specific IP so that way IIS does not accidently return internal IP's etc.... Signed, Marc Maiffret
Current thread:
- Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Marek Roy (Aug 08)
- <Possible follow-ups>
- RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Marc Maiffret (Aug 09)
- Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 H D Moore (Aug 10)
- RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Microsoft Security Response Center (Aug 09)