IIS reveals internal IP address in content-location field

security iis asp.net
6,275

Solution 1

For anyone looking for the way to do this in IIS 7, the property has been changed to alternateHostName. It can be set by running the command below:

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"website" /commit:apphost

Command Reference appcmd.exe Reference

Solution 2

KB 834141 is the only fix for IP Address revealing issue in HTTP headers. After installing the patch, you will need to configure the Web site for UseHostName or SetHostName. If you have host header configured on your Web site you use SetHostName such that host header is returned instead of IP Address.

Make sure there is no redirect happening on any page. Take a network trace and see the request, for a redirect you will see 302 Object moved.

Hope this helps.

Solution 3

Where is this header coming from to begin with? According to that MSDN article (and my quick test), ASP.NET does not add a content-location header by default.

I think you have something configured incorrectly.

Share:
6,275

Related videos on Youtube

saille
Author by

saille

Updated on September 17, 2022

Comments

  • saille
    saille over 1 year

    Referring: http://support.microsoft.com/kb/q218180/, there is a known issue in IIS4/5/6 whereby it will reveal the internal IP of a web server in the content-location field of the HTTP header.

    We have IIS 6. I have tried the fix suggested, but it has not worked. The website is configured to send all requests to ASP.NET, and I am wondering if this is why the fix, which addresses IIS configuration, has not worked for us.

    If this is the case, how would we fix this in ASP.NET?

    We need to fix this issue in order to pass a security audit.

    • I.T. Support
      I.T. Support over 13 years
      I have the EXACT same issue: IP address is revealed in the content-location field in the TCP header in IIS 6.0 We're trying to pass compliance as well. I think the issue is that according to the KB you're supposed to apply the latest service pack, then apply a microsoft "hot fix" which you can only obtain by contacting technical support. Also the KB mentions something about what might be a an IIS tweak to get things operational: "After the service pack, set either the UseHostName property or SetHostName property on the site if you want an alternate host name to be sent for requests"

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
authentication issue with an intranet website running under IIS6
IIS tilde vulnerability issue
What replaces .htaccess on IIS/ASP.NET sites?
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
What is the non-standard HTTP verb "DEBUG" used for in ASP.NET/IIS?
encrypting web.config failed error
What are the security effects of giving the IIS_IUSRS a Full Control permission?
IIS Returning Old User Names to my application