2

A security scan of our IIS 10 server revealed that it's disclosing the internal IP address of the server via the Location header when a request is made to a folder, such as https://example.org/Content. This generates the following (xxx represents the internal IP):

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: -1
Location: https://xxx.xxx.xxx.xxx/Content/
....

A few questions:

  • What's the best practice on fixing this?
  • How do we do a GET HTTP/1.0 request outside of the scanning software to simulate this and test it after the fix?

Thank you.

Update: tried the URL Rewrite rule from this post but it throws a 500 error.

Alex
  • 271
  • 3
  • 14
  • Duplicate to https://serverfault.com/questions/391356/ignoring-http-1-0-requests-in-iis and https://serverfault.com/questions/1012273/iis-10-how-do-i-remove-internal-ip-address-from-response-headers – Lex Li Sep 23 '21 at 00:57
  • @LexLi, the URL Rewrite rule in the first link blows up the app with a 500 error so it's not a valid rule. It doesn't like the "AbortRequest" – Alex Sep 23 '21 at 10:20
  • @LexLi, please see my update above – Alex Sep 23 '21 at 11:08
  • You will have to show the complete error page. `AbortRequest` is defined in the schema so it cannot be the cause of the problem, https://github.com/lextm/iis_schema/blob/master/rewrite_schema.xml#L60 – Lex Li Sep 23 '21 at 20:49
  • Thanks, @LexLi. It wasn't showing any details nor throwing anything into the event logs, which was weird. Anyway, found the answer and added it below. – Alex Sep 24 '21 at 13:52

1 Answers1

3

This article along with this one outline protecting against this kind of attack (Client Access Server Information Disclosure vulnerability) by aborting requests which are missing the Host header.

Here are the steps to fix this. Ensure you have the URL Rewrite module installed,

  1. Open IIS.

  2. Select your web site.

  3. Double-click on URL Rewrite.

  4. Click on Add rule(s) in the Actions panel on the right hand side.

  5. Choose Inbound rules > Request blocking.

  6. Enter the following settings for the rule:

    Block access based on: Host Header

    Block request that: Does not match the pattern

    Pattern (Host Header): .+ (read: "dot plus", meaning "match one or more of any characters")

    Using: Regular Expressions

    How to block: Abort request

  7. Click OK to save the rule.

Update: Security scan performed on a Windows Server revealed the vulnerability no longer existed after this change.

Alex
  • 271
  • 3
  • 14