[22182] in bugtraq
Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
daemon@ATHENA.MIT.EDU (H D Moore)
Fri Aug 10 11:18:50 2001
X-Qmail-Scanner-Mail-From: hdm@secureaustin.com via webserver
X-Qmail-Scanner-Rcpt-To: marc@eeye.com marek_roy@hotmail.com bugtraq@securityfocus.com
Date: Thu, 9 Aug 2001 23:13:08 -0500
From: H D Moore <hdm@secureaustin.com>
To: "Marc Maiffret" <marc@eeye.com>
Cc: marek_roy@hotmail.com, bugtraq@securityfocus.com
Message-Id: <20010809231308.6f23f465.hdm@secureaustin.com>
In-Reply-To: <EIEOJCKGEPCLJHGCNNOPOEJPEHAA.marc@eeye.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
This problem also affects Apache, Netscape Enterprise Server,
and probably many others.
Apache responds this way if the ServerName directive is not
set (or is set to the internal IP) and the UseCanonicalName
option is On (which is the default configuration).
From Apache 1.3.x httpd.conf:
# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a URL that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name. With this setting off, Apache will
# use the hostname:port that the client supplied, when possible. This
# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
#
UseCanonicalName Off
If ServerName is not set, the system will redirect users to what it
thinks its hostname is (hostname.local, host.internal.net, etc). The
Fix is to either set CanonicalName to Off or set the ServerName
variable to the external hostname.
I don't have a local NES system to check, but this demonstrates this
problem fairly effectively ;)
telnet www.verXXXgn.com 80
Trying 216.1X8.XXX.XX...
Connected to the.warmfuzzyofinternettrust.com.
Escape character is '^]'.
GET /images HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/3.6 SP3
Date: Fri, 10 Aug 2001 07:10:32 GMT
Location: http://172.16.128.117/images/
Content-length: 0
Content-type: text/html
Connection: close
Connection closed by foreign host.
On Thu, 9 Aug 2001 13:22:39 -0700
"Marc Maiffret" <marc@eeye.com> wrote:
> this isnt just for HTTPS... this can occur on plain HTTP also depending on
> how someone has setup. If you have an IIS web server you should not use "all
> ip addresses" for a web and instead pick the specific IP so that way IIS
> does not accidently return internal IP's etc....
>
> Signed,
> Marc Maiffret
