4

I am trying to pass a PCI compliance test, and I'm getting a single "high risk vulnerability".

The problem is described as:

Information on the machine which a web server is located is sometimes included in the header of a web page. Under certain circumstances that information may include local information from behind a firewall or proxy server such as the local IP address.

It looks like Nginx is responding with:

 Service: https 
 Received: HTTP/1.1 302 Found 
 Cache-Control: no-cache 
 Content-Type: text/html; charset=utf-8 
 Location: http://ip-10-194-73-254/ 
 Server: nginx/1.0.4 + Phusion Passenger 3.0.7 (mod_rails/mod_rack) 
 Status: 302 X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7 
 X-Runtime: 0 
 Content-Length: 90 
 Connection: Close <html><body>You are being <a href="http://ip-10-194-73-254/">redirect    ed</a>.</body></html>

I'm no expert, so please correct me if I'm wrong: but from what I gathered, I think the problem is that the Location header is returning http://ip-10-194-73-254/, which is a private address, when it should be returning our domain name (which is ravn.com).

So, I'm guessing I need to either hide or replace the Location header somehow? I'm a programmer and not a server admin so I have no idea what to do... Any help would be greatly appreciated! Also, might I add that we're running more than 1 server, so the configuration would need to be transferable to any server with any private address.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
Steven Ou
  • 151
  • 1
  • 2
  • 1
    This is a nonsense vulnerability. Location is a HTTP header and HTTP won't work without it. Get the auditor to tell you what the problem is. – Alex Holst Nov 14 '11 at 20:18
  • It's an automated test :-/ Will see if I can get to a person to talk to... – Steven Ou Nov 14 '11 at 21:03
  • Perhaps they're talking about the Server: or Status: headers in that they disclose the software you're running. That's a nonsense vulnerability, too. Hiding which software you run does not a secure system make. – Alex Holst Nov 14 '11 at 21:54
  • I think it's the private address because they specifically said "Description: Web Server Internal IP address or network name available". I emailed the company - hopefully they can do something about it... In the mean time I'll keep trying to figure out how to pass the test... – Steven Ou Nov 14 '11 at 22:36

1 Answers1

2

Well, 302 Found is an HTTP redirection status, so you were redirected. You were redirected not by nginx but by a software behind nginx (a Ruby application run on Phusion Passenger as I can see) because there were headers (X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7) added by the backend app not by nginx. So, you should check the source code of your Ruby app to find what caused the redirection. The address you were redirected to was not accessible from a public web anyway, so this is not a vulnerability but a kind of misconfiguration.

Alex
  • 7,939
  • 6
  • 38
  • 52