IIS leaks internal IP with an HTTP/1.0 request without a Host header
A security scan of our IIS 10 server revealed that it's disclosing the internal IP address of the server via the Location
header when a request is made to a folder, such as https://example.org/Content
. This generates the following (xxx
represents the internal IP):
HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: -1
Location: https://xxx.xxx.xxx.xxx/Content/
....
A few questions:
- What's the best practice on fixing this?
- How do we do a GET HTTP/1.0 request outside of the scanning software to simulate this and test it after the fix?
Thank you.
Update: tried the URL Rewrite rule from this post but it throws a 500 error.
Solution 1:
This article along with this one outline protecting against this kind of attack (Client Access Server Information Disclosure vulnerability) by aborting requests which are missing the Host header.
Here are the steps to fix this. Ensure you have the URL Rewrite module installed,
-
Open IIS.
-
Select your web site.
-
Double-click on URL Rewrite.
-
Click on Add rule(s) in the Actions panel on the right hand side.
-
Choose Inbound rules > Request blocking.
-
Enter the following settings for the rule:
Block access based on: Host Header
Block request that: Does not match the pattern
Pattern (Host Header): .+ (read: "dot plus", meaning "match one or more of any characters")
Using: Regular Expressions
How to block: Abort request
-
Click OK to save the rule.
Update: Security scan performed on a Windows Server revealed the vulnerability no longer existed after this change.