I just did some tests, and CGI.SERVER_NAME displays whatever URL was used to access the page.
So if the IP address is 1.1.1.1, and these three hosts point to 1.1.1.1: x.com, b.com, xb.org, and they all point to the same webpage with this code: <cfdump var="#CGI.SERVER_NAME#" /> it'll output the following: url: http://1.1.1.1 outputs: 1.1.1.1 url: x.com outputs: x.com url: b.com outputs: b.com url: xb.com outputs: xb.com Since you are using curl and you are specifying the IP in the URL, CGI.SERVER_NAME will be 1.1.1.1. Since this is a private IP address, under certain circumstances, this should never leak. For example, it could leak if you have a device (proxy server or load balancer) between the internet and the server, and all requests are being proxied from this device, and the device talks to your server via IP, and not via a hostname, then the internet would see the IP address as CGI.SERVER_NAME Chad Gray wrote: > While going through PCI compliance it appears that CGI.SERVER_NAME can leak > the internal private IP address. > > Does CGI.SERVER_NAME default to the internal IP setup in IIS? > > I have a re-direct in Application.cfm that if the user is on HTTPS to > cflocation them to http://#CGI.SERVER_NAME#/ and this leaks the private IP > 10.1.0.0 when using CURL > > curl -0 -k --head -v -H "Host: "https://1.1.1.1 > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334100 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm