Thursday, February 3, 2011

web server leaks a private IP address through its HTTP headers. how to fix?

I've already located this question on server fault:

Server Fault Question

But there is no answer. Does anyone have any advice on how to fix the issue? We're running 2003 Server R2 Ent, latest service pack is applied, IIS 6.0

Here's what the compliance company is saying:

Synopsis : This web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection. See also : http://support.microsoft.com/support/kb/ articles/Q218/1/80.ASP

Any ideas?

Thanks

From serverfault I.T. Support

  • Umm... have you read the KB and it's companion article for IIS6?

    http://support.microsoft.com/kb/834141/

    I.T. Support : Yes, I followed intructions, server is on the latest service pack. I don't know how to get a hold of the "Hotfix" they speak about after the service pack. Does anyone have a link to this?
    I.T. Support : Ok, so the hotfix should have been included in the latest service pack. So the next section requires you make a reg edit to add the hostname you want to use. What host name would I need to put in there? Is this just a reference to the public IP address?
    joeqwerty : You would use either the UseHostName if you want the server to always send it'd FQDN, such as internalname.internaldomain.local or use the SetHostName if you want the server to send a specific name, such as websitename.domain.com.
    I.T. Support : What if I need different host names for different IIS sites? Would I add a custome header through IIS config?
    joeqwerty : I can't help you with that one. You'll need to do some research on it, sorry.
    I.T. Support : Can I set the host name to an public IP address?
    I.T. Support : We followed instructions, added host names to each site using "Set Host" rescanned and passed compliance
    joeqwerty : Glad to hear it.
    From joeqwerty
Posted by Mu Cat at 8:51 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)