[22165] in bugtraq
RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
daemon@ATHENA.MIT.EDU (Marc Maiffret)
Thu Aug 9 18:55:49 2001
From: "Marc Maiffret" <marc@eeye.com>
To: <marek_roy@hotmail.com>, <bugtraq@securityfocus.com>
Date: Thu, 9 Aug 2001 13:22:39 -0700
Message-ID: <EIEOJCKGEPCLJHGCNNOPOEJPEHAA.marc@eeye.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <MMEPIMEOCNNBECDFLCADMEKPEPAA.marc@eeye.com>
this isnt just for HTTPS... this can occur on plain HTTP also depending on
how someone has setup. If you have an IIS web server you should not use "all
ip addresses" for a web and instead pick the specific IP so that way IIS
does not accidently return internal IP's etc....
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall
|| -----Original Message-----
|| From: marek_roy@hotmail.com [mailto:marek_roy@hotmail.com]
|| Sent: Tuesday, August 07, 2001 9:55 PM
|| To: bugtraq@securityfocus.com
|| Subject: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
||
||
|| GGS-AU / e-Synergies Security Advisory
|| August 8, 2001
||
|| Internal IP Address Disclosure in Microsoft-IIS 4.0 &
|| 5.0
||
|| Synopsis:
