| VID |
22132 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Microsoft IIS (Internet Information Server) web server discloses internal IP address.
By making certain requests to the web server with a blank Host name in HTTP header, the IIS server response will often contain the server's IP address. A remote attacker will obtain the internal IP address of the web server. This information could potentionally be used to locate other local hosts.
If a PROPFIND HTTP request is made, the server will return a 207 Multi-Status response with include the IP address as part of the HREF header. Using the WRITE or MKCOL method will return the machine's IP address in the Location server HTTP header.
# telnet target_host 80
...
PROPFIND / HTTP/1.1
Host:
Content-Length: 0
Even if the server is protected by a firewall or NAT and uses the private internal IP address, it will disclose the true internal IP address. It allows attackers to help them formulate further attacks.
* Platforms Affected:
Microsoft IIS 4.0
Microsoft IIS 5.0
Microsoft IIS 5.1 |
| Recommendation |
Set to use the machine's host name rather than its IP address.
1. Open a command prompt.
2. Change the current directory to c:\inetpub\adminscripts or to where the adsutil.vbs can be found.
3. Stop the WWW service
> net stop w3svc
4. Set to use the machine's host name.
> cscript adsutil.vbs set w3svc/UseHostName True
5. Start the WWW service
> net start w3svc |
| Related URL |
CVE-2002-0422 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
8385 (ISS) |
|
