< Alle Emner
Print

Web Server HTTP Header Internal IP Disclosure (CVE-2000-0649)

**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.

Vulnerability Details 

The “Web Server HTTP Header Internal IP Disclosure” vulnerability occurs when a web server inadvertently reveals its internal IP address through HTTP headers, such as Content-Location or Location. This can happen due to server misconfigurations or in response to specific types of HTTP requests.

Severity Rating

Low

How to Verify if a Device is Vulnerable

Automated Verification:
Use Nessus plugin ID 10759 to scan the device for this vulnerability.

Manual Verification:
Use a tool like curl to inspect the HTTP headers:

curl -v -H “Host:” http://your-web-server

Analyze the response headers for internal IP addresses, typically found in headers like

Content-Location or Location, e.g.,

Content-Location: http://192.168.0.1/page.htm

If an internal IP address is exposed, the device is vulnerable.

How to Fix

How to fix this vulnerability – this vulnerability is only found on IIS servers:

Update IIS Server:

Ensure your IIS server is updated with the latest security patches and updates from Microsoft.

Configure the IIS Response Headers:

Remove or obfuscate the Content-Location and Location headers that might reveal internal IP addresses.

Web Application Firewall (WAF):
Implement a WAF to inspect and sanitize HTTP headers. A WAF can help block any sensitive information, such as internal IP addresses, from being exposed.

Use URL Rewrite Module:

Implement rules to rewrite or remove sensitive headers. For example, you can install and configure the URL Rewrite module to manage header information.

To implement URL Rewrite rules in IIS to manage header information, follow these steps:

Install URL Rewrite Module

Download and install the “URL Rewrite module” from the Microsoft website: https://www.iis.net/downloads/microsoft/url-rewrite

Configure URL Rewrite Rules

Open IIS Manager.

Select the site or server level where you want to apply the rules.

Go to the “URL Rewrite” module.

Click on “Add Rule(s)…” and select “Blank rule” under “Inbound rules”.

Create a Rule to Remove Sensitive Headers

Name the rule appropriately, e.g., “Remove Sensitive Headers”.

In the “Match URL” section, specify the conditions for the rule. For example, you can match all URLs.

Under “Conditions”, click “Add” to specify the conditions that trigger the rule. This could include checking if the request has a specific header.

In the “Action” section, set the action type to “Rewrite” and use the following to remove a specific header (e.g., Content-Location):


“<serverVariables>

    <set name=”RESPONSE_Content-Location” value=”” />

</serverVariables>”

Example Rule in web.config
Add the following XML snippet to your web.config file within the <system.webServer> section:

”<rewrite>

    <rules>

        <rule name=”Remove Sensitive Headers” enabled=”true”>

            <match url=”.*” />

            <action type=”None” />

            <serverVariables>

                <set name=”RESPONSE_Content-Location” value=”” />

            </serverVariables>

        </rule>

    </rules>

</rewrite>”


Rollback

To perform a rollback do the following:

IIS Servers:

Revert URL Rewrite Rules:
If you added URL Rewrite rules to obfuscate or remove headers, revert these changes in the IIS Manager under the URL Rewrite section.

Restore Original Configuration:
If you modified the web server’s configuration files, restore the original versions from backups or remove specific changes related to header modifications.

General Steps:
Undo WAF Configuration:
If you configured a Web Application Firewall to block or rewrite headers, revert these changes by disabling or removing the specific rules.

Re-enable Disabled Features:
If you disabled any features as part of the mitigation, re-enable them through the server management interface or configuration files.

How to Verify the Fix

  • Rescan the device with Nessus plugin ID 10759 and check for the vulnerability.
  • To manually verify if the “Web Server HTTP Header Internal IP Disclosure” vulnerability has been fixed:

Send a Request Without Host Header: Use a tool like curl to send an HTTP request to the server without a “Host” header.

curl -v -H “Host:” http://your-web-server

Check Response Headers: Examine the response headers for the presence of internal IP addresses, specifically in headers like Content-Location or Location. If the fix is successful, the internal IP address should not be present in any headers. Instead, headers should refer to the external or configured public-facing information.

Links (for additional resources and references)

https://nvd.nist.gov/vuln/detail/CVE-2000-0649
https://github.com/stevenvegar/cve-2000-0649  

Tags:
Indholdsfortegnelse