Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0

[H D Moore <hdm () secureaustin com>]

This problem also affects Apache, Netscape Enterprise Server, 
and probably many others.

Apache responds this way if the ServerName directive is not
set (or is set to the internal IP) and the UseCanonicalName 
option is On (which is the default configuration).  

> From Apache 1.3.x httpd.conf:

# UseCanonicalName:  (new for 1.3)  With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a URL that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name.  With this setting off, Apache will
# use the hostname:port that the client supplied, when possible.  This
# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
#
UseCanonicalName Off

If ServerName is not set, the system will redirect users to what it 
thinks its hostname is (hostname.local, host.internal.net, etc). The
Fix is to either set CanonicalName to Off or set the ServerName 
variable to the external hostname.

I don't have a local NES system to check, but this demonstrates this
problem fairly effectively ;)

telnet www.verXXXgn.com 80
Trying 216.1X8.XXX.XX...
Connected to the.warmfuzzyofinternettrust.com.
Escape character is '^]'.
GET /images HTTP/1.0
 
HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/3.6 SP3
Date: Fri, 10 Aug 2001 07:10:32 GMT
Location: http://172.16.128.117/images/
Content-length: 0
Content-type: text/html
Connection: close
 
Connection closed by foreign host.






On Thu, 9 Aug 2001 13:22:39 -0700
"Marc Maiffret" <marc () eeye com> wrote:

> this isnt just for HTTPS... this can occur on plain HTTP also depending on
> how someone has setup. If you have an IIS web server you should not use "all
> ip addresses" for a web and instead pick the specific IP so that way IIS
> does not accidently return internal IP's etc....
>
> Signed,
> Marc Maiffret