| VID |
22133 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Microsoft IIS (Internet Information Server) web server discloses internal IP address.
When a remote attacker attempts to request an web page protected by 'Basic Authentication' algorithm with no realm defined, and he specifies HTTP/1.0, IIS web server returns an Access Denied error message included the internal IP address.
It's possible a remote attacker to obtain the internal IP address of the web server. This information could potentially be used to locate other local hosts.
For example, you can test this vulnerability as the follow :
# telnet target_host 80
...
HEAD /directory HTTP/1.0
HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="<internal IP address>"
Content-Length: 644 ...
....
Even if the server is protected by a firewall or NAT and uses the private internal IP address, it will disclose the true internal IP address. It allows attackers to help them to formulate further attacks.
* Platforms Affected:
Microsoft IIS 4.0
* References:
http://online.securityfocus.com/bid/1499
http://www.iss.net/security_center/static/5106.php |
| Recommendation |
Set the default 'realm' string for the root level of the server
1. Open a command prompt.
2. Change the current directory to c:\winnt\system32\intersrv\adminsamples or to where the adsutil.vbs can be found.
3. Stop the WWW service
> net stop w3svc
4. Set a default 'realm' string
> cscript adsutil.vbs set w3svc/realm "<default_string>"
5. Start the WWW service
> net start w3svc |
| Related URL |
CVE-2000-0649 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
