PCI Pen Test Failure, Internal IP Exposed

Question

0.00/5 (No votes)

See more:

Hi,

I've recently failed a PCI penetration test because IIS was including the internal Server IP address in the response header.

Is this header something that can be removed by configuring IIS or will I have to write code in my website to remove it from the response?

More information:

It only exposes the internal IP when viewing a folder, without content and without sending a http host header.

E.g.

https://mysite.com/images

Posted 27-Jul-12 0:21am

Stephen Hewison

Updated 27-Jul-12 1:01am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Stephen Hewison · Accepted Answer · 2012-07-27T01:20:00

I found the solution.

I think it is a bug in IIS 7? When requesting a directory instead of a page or some static content. The server returns a HTTP 301 Moved Permanently.

This includes the Location response header, but IIS fails to use the alternateHostName when generating the header content. So it reverts back to the internal IP.

The ability to make this kind of request relies on the "List Folder Contents" permission within IIS. If you deny this permission to the relevant security principle when the user makes the request the server returns a HTTP 401 Unauthorized, which does not include the location header and as such the internal ip.