2

IIS 10 on Windows Server 2016. All current patches are installed. A recent PCI scan claims that the internal IP address of the server is being leaked in HTTP headers. Unfortunately, this scanning company does not give you any details as to how they reached this conclusion so that I can reproduce it. All of my research seems to indicate that this is not an issue in IIS 10, only older versions of IIS. I do have URL rewrite rules that use redirect for ensuring connections are https, and that they have www in the host name. 

    <rule name="HTTPS Redirect">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
    <rule name="Redirect to www">
      <match url="(.*)" />
      <conditions trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern="^example\.com$" />
      </conditions>
      <action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
    </rule>

What is causing the server to leak the internal IP address, and how can I prevent it? I have tried using curl -lkL example.com but I do not see the IP address in any of the returned headers.

CB_Ron
  • 338
  • 2
  • 10
  • If it's not IIS, then what services are running on the server, or on backends it connects to? Myself, I'd like to know what harm there is in a leaked internal IP address. – Gerard H. Pille Apr 14 '20 at 16:39
  • @GerardH.Pille From the scan results: `PCI DSS 3.2 requirement 1.3.7 "do not disclose private IP addresses and routing information to unauthorized parties".` A mailserver is running on the server, but it is only used for outbound emails from the website. There is no inbound access to it. – CB_Ron Apr 14 '20 at 17:13
  • That information can only be used when someone has access to the intranet or DMZ, but at that time you'll have other worries. Was the "scanning company" asked to check your server? But with the information you provide, one can only guess. Let the mail server send you a message, you may very well find iP addresses in it. (received from ...) – Gerard H. Pille Apr 14 '20 at 18:29
  • @GerardH.Pille I don't make the PCI rules, I just have to live by them ;-) The scanning company is hired by the payment processor to perform the quarterly PCI vulnerability scans. They don't scan emails, but yes, you are correct that private IP addresses often appear in the email headers. – CB_Ron Apr 14 '20 at 20:14
  • 1
    Duplicate to https://serverfault.com/questions/391356/ignoring-http-1-0-requests-in-iis – Lex Li Apr 17 '20 at 00:03
  • @LexLi are you saying that it is HTTP/1.0 requests that are leaking the private IP address? – CB_Ron Apr 18 '20 at 18:12
  • More details can be found in https://support.microsoft.com/en-ca/help/967342/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-htt – Lex Li Apr 18 '20 at 18:40

2 Answers2

1

To replicate what they were trying, do the following;

openssl s_client -host www.docuboxportal.com -port 443
...
GET / HTTP/1.0
Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
G3n3ral Failur3
  • 11
  • 1
  • 1
    Thank you, but LexLi answered my problem in his comments on the original post. It was the HTTP/1.0 that was leaking it. I have since configured the webserver to reject HTTP/1.0 requests. – CB_Ron Oct 08 '20 at 15:54
0

This might be exposed through the HTTP response header. Check your header general information in the browser developer tool. Attached is the screenshot from the local application so it is just showing local address. May be rewrite the server variable before sending the response can help here.

enter image description here

Ashok Mandial
  • 101
  • 1