IIS leaks internal IP with an HTTP/1.0 request without a Host header

Alex

1/22/23, 6:00 PM

A security scan of our IIS 10 server revealed that it's disclosing the internal IP address of the server via the Location header when a request is made to a folder, such as https://example.org/Content. This generates the following (xxx represents the internal IP):

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: -1
Location: https://xxx.xxx.xxx.xxx/Content/
....

A few questions:

What's the best practice on fixing this?
How do we do a GET HTTP/1.0 request outside of the scanning software to simulate this and test it after the fix?

Thank you.

Update: tried the URL Rewrite rule from this post but it throws a 500 error.

741

0 + 0

security

iis

Lex Li

1/23/23, 12:57 AM

Duplicate to https://serverfault.com/questions/391356/ignoring-http-1-0-requests-in-iis and https://serverfault.com/questions/1012273/iis-10-how-do-i-remove-internal-ip-address-from-response-headers

Alex

1/23/23, 10:20 AM

@LexLi, the URL Rewrite rule in the first link blows up the app with a 500 error so it's not a valid rule. It doesn't like the "AbortRequest"

Alex

1/23/23, 11:08 AM

@LexLi, please see my update above

Lex Li

1/23/23, 8:49 PM

You will have to show the complete error page. `AbortRequest` is defined in the schema so it cannot be the cause of the problem, https://github.com/lextm/iis_schema/blob/master/rewrite_schema.xml#L60

Alex

1/24/23, 1:52 PM

Thanks, @LexLi. It wasn't showing any details nor throwing anything into the event logs, which was weird. Anyway, found the answer and added it below.

Score:3

Server

Alex

1/24/23, 10:13 AM

This article along with this one outline protecting against this kind of attack (Client Access Server Information Disclosure vulnerability) by aborting requests which are missing the Host header.

Here are the steps to fix this. Ensure you have the URL Rewrite module installed,

Open IIS.
Select your web site.
Double-click on URL Rewrite.
Click on Add rule(s) in the Actions panel on the right hand side.
Choose Inbound rules > Request blocking.
Enter the following settings for the rule:

Block access based on: Host Header

Block request that: Does not match the pattern

Pattern (Host Header): .+ (read: "dot plus", meaning "match one or more of any characters")

Using: Regular Expressions

How to block: Abort request
Click OK to save the rule.

Update: Security scan performed on a Windows Server revealed the vulnerability no longer existed after this change.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IIS leaks internal IP with an HTTP/1.0 request without a Host header

TH: IIS รั่วไหล IP ภายในด้วยคำขอ HTTP/1.0 โดยไม่มีส่วนหัวของโฮสต์

RO: IIS scurge IP-ul intern cu o solicitare HTTP/1.0 fără antet gazdă

RU: IIS пропускает внутренний IP-адрес с запросом HTTP/1.0 без заголовка узла

VI: IIS rò rỉ IP nội bộ với yêu cầu HTTP/1.0 không có tiêu đề Máy chủ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.