Hi,
Following a scan of web server with Qualys Community Edition, a
vulnerability has been declared as below.
------------------------------------------------------------------------------------------------------------
Web Server Internal IP Address/Internal Network Name Disclosure
Vulnerability port 80/tcp
QID:
86247
Category:
Web server
CVE ID:
CVE-2000-0649
Vendor Reference
-
Bugtraq ID:
1499
Service Modified:
10/01/2018
User Modified:
-
Edited:
No
PCI Vuln:
Yes
RESULTS:
GET / HTTP/1.0
HTTP/1.0 302 Found
Date: Fri, 01 Mar 2019 15:08:31 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 419
Location: https://192.168.1.101/
THREAT:
Some Web servers contain a vulnerability giving remote attackers
the ability to attain your internal IP address or internal network
name.
An attacker connected to a host on your network using HTTPS
(typically on port 443) could craft a specially formed GET request
from the Web server resulting in a 3XX Object Moved error message
containing the internal IP address or internal network name of the Web
server.
A target host using HTTP may also be vulnerable to this issue.
QID Detection Logic:
The remote check for the web server internal IP address sends a
HTTP GET request to the target web server. The QID is flagged if a
"Content-location:" header or a 3xx redirect address in an HTTP
response contains an RFC1918 IP address.
PCI DSS 3.2 requirement 1.3.7 "do not disclose private IP
addresses and routing information to unauthorized parties".
This is a PCI Fail since confidential information about your
network is leaked.
IMPACT:
Successful exploitation of this vulnerability results in the
disclosure of your internal IP address or internal network name, which
could then be used in further attacks against the target host.
SOLUTION:
There are no patches available at this time. Please contact your
vendor for updates.
Workaround:
For IIS Web Server 6.x and prior:
Check the Microsoft article on how to set the Hostname instead of
internal IP address for IIS.
For IIS 7.0
The release version of IIS7 by default includes the functionality
of masking the IP address. Refer to Removing an IIS server's IP
address from HTTP responses.
For Apache Web Server:
Modify the Apache configuration file as follows:
- Set "ServerName" to a proper FQDN.
or
- Use module mod_rewrite to modify the 3xx error message returned
by the server.
No workaround information is available for other Web servers at
this time. Refer to your vendor for an appropriate workaround.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
The Exploit-DB
Reference:
CVE-2000-0649
Description:
Microsoft IIS 2.0/3.0/4.0/5.0/5.1 - Internal IP Address
Disclosure - The Exploit-DB Ref : 20096
Link:
http://www.exploit-db.com/exploits/20096
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
GET / HTTP/1.0
HTTP/1.0 302 Found
Date: Fri, 01 Mar 2019 15:08:31 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 419
Location: https://192.168.1.101/
------------------------------------------------------------------------------------------------------------
Web server configuration as follows:
# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $
server "xyz.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI";
}
}
server "xyz.com" {
listen on * tls port 443
hsts
tls {
certificate "/etc/ssl/xyz.com.fullchain.pem"
key "/etc/ssl/private/xyz.com.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/xyz.com/*" {
root "/"
fastcgi
}
}
Any indications on how to prevent the disclosure?
Regards,
Kihaguru.
