Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Friday, December 17, 2010

HTTP Header Internal IP Pattern Disclose

In many web applications I found this vulnerability, if the web server is not configured properly then by using “telnet” command it is possible to retrieve the internal IP address pattern (private IP) of the organization. For example if the DNS name of web application is “www.abc.com” then run telnet command on port 80 (Assume that application is running on port 80).

Open command prompt then type the below command

telnet www.abc.com 80

Then a blank screen will appear then type the below command

HEAD / HTTP/1.0

The output will appear like



In this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.

There are two solutions depending on your version of IIS that you are using. Because of this, follow the correct steps based on your version. 

Correct for IIS 4.0, 5.0, or 5.1 

Example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0 or Microsoft-IIS/5.0
Content-Location: http://www.domain.com/Default.htm
Date: Thu, 18 Feb 1999 15:08:44 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 30 Nov 1998 15:40:15 GMT
ETag: "f07f84b9771cbe1:3068"
Content-Length: 4739


Warning Using the Adsutil.vbs file incorrectly causes serious problems that require you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk. 

Set the value on an IIS 4.0 server

  1. Open a command window (cmd).
  2. Change directory to: winnt\system32\inetsrv\adminsamples.

    Note This may vary depending on your installation of Internet Information Server.
  3. Type the following syntax:
    adsutil set w3svc/UseHostName True
    By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
  4. We recommend that you restart Inetinfo service after you make this modification. To stop the Inetinfo process, type the following at the command line:
    net stop iisadmin /y
    Note Make a note of what services are stopped so that you can restart them.
  5. Type the following:
    Net start w3svc
    Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

Set the value on an IIS 5.0 server


  1. Open a command window (cmd).
  2. Change the directory to: inetpub\adminscripts.

    Note This may vary depending on your installation of Internet Information Server.
  3. Type the following syntax:
    adsutil set w3svc/UseHostName True
    By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
  4. We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line:
    net stop iisadmin /y
    Note Make a note of what services are stopped so that you can restart them.
  5. Type the following:
    Net start w3svc
    Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4. 

     

    IIS 6.0 on Windows Server 2003

     

    For additional information about a fix for IIS 6.0 on Windows Server 2003 visit below link

     

    http://support.microsoft.com/kb/834141/


     




No comments:

Post a Comment