|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
MS IIS Internal IP Address/Hostname VulnerabilityMy vulnerability scanner is flagging my OWA website because of the MS IIS
Internal IP Address/Hostname Vulnerability. I have issued the following command "adsutil set w3svc/UseHostName True" and rebooted the server. The vulnerability scan no longer picks up the internal IP address. However, it picks up the INTERNAL hostname and still flags me for the same vulnerability. That leaves me in catch22. Set the flag to True and use the internal hostname or False and display the IP address. Anyone know a fix for this? How can I get it to show my EXTERNAL hostname or IP address? Thanks -- Steve Are you using W2k3 ? if yes, get this hotfix or SP1
FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0 http://support.microsoft.com/?id=834141 -- Show quoteHide quoteRegards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ "SteveC" <Ste***@discussions.microsoft.com> wrote in message news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... > My vulnerability scanner is flagging my OWA website because of the MS IIS > Internal IP Address/Hostname Vulnerability. I have issued the following > command "adsutil set w3svc/UseHostName True" and rebooted the server. The > vulnerability scan no longer picks up the internal IP address. However, it > picks up the INTERNAL hostname and still flags me for the same > vulnerability. > That leaves me in catch22. Set the flag to True and use the internal > hostname > or False and display the IP address. Anyone know a fix for this? How can I > get it to show my EXTERNAL hostname or IP address? > Thanks > -- > Steve I am using Windows 2000 Server with IIS 5. Is there a hotfix for this?
-- Show quoteHide quoteSteve "Bernard Cheah [MVP]" wrote: > Are you using W2k3 ? if yes, get this hotfix or SP1 > FIX: IP address is revealed in the content-location field in the TCP header > in IIS 6.0 > http://support.microsoft.com/?id=834141 > > -- > Regards, > Bernard Cheah > http://www.microsoft.com/iis/ > http://www.iiswebcastseries.com/ > http://www.msmvps.com/bernard/ > > > "SteveC" <Ste***@discussions.microsoft.com> wrote in message > news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... > > My vulnerability scanner is flagging my OWA website because of the MS IIS > > Internal IP Address/Hostname Vulnerability. I have issued the following > > command "adsutil set w3svc/UseHostName True" and rebooted the server. The > > vulnerability scan no longer picks up the internal IP address. However, it > > picks up the INTERNAL hostname and still flags me for the same > > vulnerability. > > That leaves me in catch22. Set the flag to True and use the internal > > hostname > > or False and display the IP address. Anyone know a fix for this? How can I > > get it to show my EXTERNAL hostname or IP address? > > Thanks > > -- > > Steve > > > Arrghh. sorry. So you are referring to this.
Internet Information Server returns IP address in HTTP header (Content-Location) http://support.microsoft.com/?id=218180 setting it to true, you should get the FQDN name. Well, If I'm remember correctly, you can 'twist' this by setting the related host header. Say. www.domain.com. and that should be returns with UseHostName set to True. -- Show quoteHide quoteRegards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ "SteveC" <Ste***@discussions.microsoft.com> wrote in message news:82732D32-FD63-4AA6-BB9B-B439A4ABDC55@microsoft.com... >I am using Windows 2000 Server with IIS 5. Is there a hotfix for this? > -- > Steve > > > "Bernard Cheah [MVP]" wrote: > >> Are you using W2k3 ? if yes, get this hotfix or SP1 >> FIX: IP address is revealed in the content-location field in the TCP >> header >> in IIS 6.0 >> http://support.microsoft.com/?id=834141 >> >> -- >> Regards, >> Bernard Cheah >> http://www.microsoft.com/iis/ >> http://www.iiswebcastseries.com/ >> http://www.msmvps.com/bernard/ >> >> >> "SteveC" <Ste***@discussions.microsoft.com> wrote in message >> news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... >> > My vulnerability scanner is flagging my OWA website because of the MS >> > IIS >> > Internal IP Address/Hostname Vulnerability. I have issued the following >> > command "adsutil set w3svc/UseHostName True" and rebooted the server. >> > The >> > vulnerability scan no longer picks up the internal IP address. However, >> > it >> > picks up the INTERNAL hostname and still flags me for the same >> > vulnerability. >> > That leaves me in catch22. Set the flag to True and use the internal >> > hostname >> > or False and display the IP address. Anyone know a fix for this? How >> > can I >> > get it to show my EXTERNAL hostname or IP address? >> > Thanks >> > -- >> > Steve >> >> >> The host header was the next thing to try. However, the latest MS updates
that came out a day or so ago seem to have fixed this. My vulnerability scanner no longer picks this up since the latest updates have been applied. Go figure... Thanks for the help. -- Show quoteHide quoteSteve "Bernard Cheah [MVP]" wrote: > Arrghh. sorry. So you are referring to this. > Internet Information Server returns IP address in HTTP header > (Content-Location) > http://support.microsoft.com/?id=218180 > > setting it to true, you should get the FQDN name. Well, If I'm remember > correctly, you can 'twist' this by setting the related host header. Say. > www.domain.com. and that should be returns with UseHostName set to True. > > -- > Regards, > Bernard Cheah > http://www.microsoft.com/iis/ > http://www.iiswebcastseries.com/ > http://www.msmvps.com/bernard/ > > > "SteveC" <Ste***@discussions.microsoft.com> wrote in message > news:82732D32-FD63-4AA6-BB9B-B439A4ABDC55@microsoft.com... > >I am using Windows 2000 Server with IIS 5. Is there a hotfix for this? > > -- > > Steve > > > > > > "Bernard Cheah [MVP]" wrote: > > > >> Are you using W2k3 ? if yes, get this hotfix or SP1 > >> FIX: IP address is revealed in the content-location field in the TCP > >> header > >> in IIS 6.0 > >> http://support.microsoft.com/?id=834141 > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.microsoft.com/iis/ > >> http://www.iiswebcastseries.com/ > >> http://www.msmvps.com/bernard/ > >> > >> > >> "SteveC" <Ste***@discussions.microsoft.com> wrote in message > >> news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... > >> > My vulnerability scanner is flagging my OWA website because of the MS > >> > IIS > >> > Internal IP Address/Hostname Vulnerability. I have issued the following > >> > command "adsutil set w3svc/UseHostName True" and rebooted the server. > >> > The > >> > vulnerability scan no longer picks up the internal IP address. However, > >> > it > >> > picks up the INTERNAL hostname and still flags me for the same > >> > vulnerability. > >> > That leaves me in catch22. Set the flag to True and use the internal > >> > hostname > >> > or False and display the IP address. Anyone know a fix for this? How > >> > can I > >> > get it to show my EXTERNAL hostname or IP address? > >> > Thanks > >> > -- > >> > Steve > >> > >> > >> > > > wow! I don't remember any of this month patches have direct relation with
IIS core engine. If you don't mind, set it back to false, restart IIS services, then see if goes back to your problem. -- Show quoteHide quoteRegards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ "SteveC" <Ste***@discussions.microsoft.com> wrote in message news:641B1154-1241-4C4C-AC8A-9D5079A7A240@microsoft.com... > The host header was the next thing to try. However, the latest MS updates > that came out a day or so ago seem to have fixed this. My vulnerability > scanner no longer picks this up since the latest updates have been > applied. > Go figure... > > Thanks for the help. > -- > Steve > > > "Bernard Cheah [MVP]" wrote: > >> Arrghh. sorry. So you are referring to this. >> Internet Information Server returns IP address in HTTP header >> (Content-Location) >> http://support.microsoft.com/?id=218180 >> >> setting it to true, you should get the FQDN name. Well, If I'm remember >> correctly, you can 'twist' this by setting the related host header. Say. >> www.domain.com. and that should be returns with UseHostName set to True. >> >> -- >> Regards, >> Bernard Cheah >> http://www.microsoft.com/iis/ >> http://www.iiswebcastseries.com/ >> http://www.msmvps.com/bernard/ >> >> >> "SteveC" <Ste***@discussions.microsoft.com> wrote in message >> news:82732D32-FD63-4AA6-BB9B-B439A4ABDC55@microsoft.com... >> >I am using Windows 2000 Server with IIS 5. Is there a hotfix for this? >> > -- >> > Steve >> > >> > >> > "Bernard Cheah [MVP]" wrote: >> > >> >> Are you using W2k3 ? if yes, get this hotfix or SP1 >> >> FIX: IP address is revealed in the content-location field in the TCP >> >> header >> >> in IIS 6.0 >> >> http://support.microsoft.com/?id=834141 >> >> >> >> -- >> >> Regards, >> >> Bernard Cheah >> >> http://www.microsoft.com/iis/ >> >> http://www.iiswebcastseries.com/ >> >> http://www.msmvps.com/bernard/ >> >> >> >> >> >> "SteveC" <Ste***@discussions.microsoft.com> wrote in message >> >> news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... >> >> > My vulnerability scanner is flagging my OWA website because of the >> >> > MS >> >> > IIS >> >> > Internal IP Address/Hostname Vulnerability. I have issued the >> >> > following >> >> > command "adsutil set w3svc/UseHostName True" and rebooted the >> >> > server. >> >> > The >> >> > vulnerability scan no longer picks up the internal IP address. >> >> > However, >> >> > it >> >> > picks up the INTERNAL hostname and still flags me for the same >> >> > vulnerability. >> >> > That leaves me in catch22. Set the flag to True and use the internal >> >> > hostname >> >> > or False and display the IP address. Anyone know a fix for this? How >> >> > can I >> >> > get it to show my EXTERNAL hostname or IP address? >> >> > Thanks >> >> > -- >> >> > Steve >> >> >> >> >> >> >> >> >> Since I have no real explanatiion why the vulnerability suddenly showed up
and then seems to have again vanished, I am hesitant to change it again. It didn't really make sense to me either why the latest updates seemingly fixed this when it was not a vulnerability a couple of weeks ago. Anyway... now that it is working, I would rather not change it. Thanks -- Show quoteHide quoteSteve "Bernard Cheah [MVP]" wrote: > wow! I don't remember any of this month patches have direct relation with > IIS core engine. If you don't mind, set it back to false, restart IIS > services, then see if goes back to your problem. > > -- > Regards, > Bernard Cheah > http://www.microsoft.com/iis/ > http://www.iiswebcastseries.com/ > http://www.msmvps.com/bernard/ > > > "SteveC" <Ste***@discussions.microsoft.com> wrote in message > news:641B1154-1241-4C4C-AC8A-9D5079A7A240@microsoft.com... > > The host header was the next thing to try. However, the latest MS updates > > that came out a day or so ago seem to have fixed this. My vulnerability > > scanner no longer picks this up since the latest updates have been > > applied. > > Go figure... > > > > Thanks for the help. > > -- > > Steve > > > > > > "Bernard Cheah [MVP]" wrote: > > > >> Arrghh. sorry. So you are referring to this. > >> Internet Information Server returns IP address in HTTP header > >> (Content-Location) > >> http://support.microsoft.com/?id=218180 > >> > >> setting it to true, you should get the FQDN name. Well, If I'm remember > >> correctly, you can 'twist' this by setting the related host header. Say. > >> www.domain.com. and that should be returns with UseHostName set to True. > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.microsoft.com/iis/ > >> http://www.iiswebcastseries.com/ > >> http://www.msmvps.com/bernard/ > >> > >> > >> "SteveC" <Ste***@discussions.microsoft.com> wrote in message > >> news:82732D32-FD63-4AA6-BB9B-B439A4ABDC55@microsoft.com... > >> >I am using Windows 2000 Server with IIS 5. Is there a hotfix for this? > >> > -- > >> > Steve > >> > > >> > > >> > "Bernard Cheah [MVP]" wrote: > >> > > >> >> Are you using W2k3 ? if yes, get this hotfix or SP1 > >> >> FIX: IP address is revealed in the content-location field in the TCP > >> >> header > >> >> in IIS 6.0 > >> >> http://support.microsoft.com/?id=834141 > >> >> > >> >> -- > >> >> Regards, > >> >> Bernard Cheah > >> >> http://www.microsoft.com/iis/ > >> >> http://www.iiswebcastseries.com/ > >> >> http://www.msmvps.com/bernard/ > >> >> > >> >> > >> >> "SteveC" <Ste***@discussions.microsoft.com> wrote in message > >> >> news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... > >> >> > My vulnerability scanner is flagging my OWA website because of the > >> >> > MS > >> >> > IIS > >> >> > Internal IP Address/Hostname Vulnerability. I have issued the > >> >> > following > >> >> > command "adsutil set w3svc/UseHostName True" and rebooted the > >> >> > server. > >> >> > The > >> >> > vulnerability scan no longer picks up the internal IP address. > >> >> > However, > >> >> > it > >> >> > picks up the INTERNAL hostname and still flags me for the same > >> >> > vulnerability. > >> >> > That leaves me in catch22. Set the flag to True and use the internal > >> >> > hostname > >> >> > or False and display the IP address. Anyone know a fix for this? How > >> >> > can I > >> >> > get it to show my EXTERNAL hostname or IP address? > >> >> > Thanks > >> >> > -- > >> >> > Steve > >> >> > >> >> > >> >> > >> > >> > >> > > > That's the thing, it's not really a big deal. Sure it's information
disclosure, but what's in your hostname? Show quoteHide quote "SteveC" <Ste***@discussions.microsoft.com> wrote in message news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... > My vulnerability scanner is flagging my OWA website because of the MS IIS > Internal IP Address/Hostname Vulnerability. I have issued the following > command "adsutil set w3svc/UseHostName True" and rebooted the server. The > vulnerability scan no longer picks up the internal IP address. However, it > picks up the INTERNAL hostname and still flags me for the same > vulnerability. > That leaves me in catch22. Set the flag to True and use the internal > hostname > or False and display the IP address. Anyone know a fix for this? How can I > get it to show my EXTERNAL hostname or IP address? > Thanks > -- > Steve I suppose the problem would be that it is just more information for the
hacker to use to attempt access into your systems. If they have the internal hostname or IP, it would seem to make an attack on that machine easier if they gained access to the internal network through another security hole. I just know that my vulnerability scanner (QualysGuard) flags me for this. It does only consider it a level one vulnerability, but a vulnerability nonetheless. -- Show quoteHide quoteSteve "Chris Weber [Security MVP]" wrote: > That's the thing, it's not really a big deal. Sure it's information > disclosure, but what's in your hostname? > > > > "SteveC" <Ste***@discussions.microsoft.com> wrote in message > news:9358889D-F4E8-4B3C-AF00-CBB1EB0BB1F7@microsoft.com... > > My vulnerability scanner is flagging my OWA website because of the MS IIS > > Internal IP Address/Hostname Vulnerability. I have issued the following > > command "adsutil set w3svc/UseHostName True" and rebooted the server. The > > vulnerability scan no longer picks up the internal IP address. However, it > > picks up the INTERNAL hostname and still flags me for the same > > vulnerability. > > That leaves me in catch22. Set the flag to True and use the internal > > hostname > > or False and display the IP address. Anyone know a fix for this? How can I > > get it to show my EXTERNAL hostname or IP address? > > Thanks > > -- > > Steve > > > 
Other interesting topics
Problem w/ Integrated Auth -- Receiving User/Pass dialog box against IIS6
integrated vs basic Accessing Site as Anonymous Windows Integrated Authentication on standalone server 401.3 on IIS after SP1 Logging into website - remove log in box Win2003 Server/IIS 6.0 Anonymous Login not working Most secure solution for ftp (IIS?) Server attack - info please? Can't get rid of localstart.asp |
|||||||||||||||||||||||
