1

My client is having their website validated in order to accept card payments on the site, and one of the failures is that we are leaking the internal IP address, yet we are using IIS 7.0 which I thought didn't do that.

I've checked the headers myself and can't see where the problem lies:

HTTP/1.1 302 Found
Content-Type: text/html 
Location: https://www.pirform.co.uk/Purchase.aspx 
Server: Microsoft-IIS/7.0 
X-Powered-By: ASP.NET Date: Tue, 03 Aug 2010 08:21:08 GMT 
Content-Length: 156 

HTTP/1.1 200 OK 
Cache-Control: private 
Content-Type: text/html 
Server: Microsoft-IIS/7.0 
Set-Cookie: ASP.NET_SessionId=n4cf1m3qmmocof45bxwpwe55 
X-AspNet-Version: 2.0.50727 
X-Powered-By: ASP.NET Date: Tue, 03 Aug 2010 08:21:08 GMT 
Content-Length: 12015

Any ideas what they could be talking about?

Mantorok
  • 143
  • 4

2 Answers2

2

Ok the problem was that in IIS there was no host-header specified for HTTPS (443) protocol, so once I added this it was ok.

Changing the setting was a little tricky though, as for single domain certs IIS does not let you specify a host header, so you have to go into the CA on the server, give the cert a friendly name that begins with an asterisk, and IIS will then allow you to specify the host-header.

Mantorok
  • 143
  • 4
0

There's a ton of places it could be leaked, possibly even in the application. What are the check results? Without more knowledge about your infrastructure or more details about how they proved it was failing, it will be difficult to answer your question.

Warner
  • 23,756
  • 2
  • 59
  • 69