IIS reveals internal IP address in content-location field
Solution 1
For anyone looking for the way to do this in IIS 7, the property has been changed to alternateHostName. It can be set by running the command below:
appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"website" /commit:apphost
Command Reference appcmd.exe Reference
Solution 2
KB 834141 is the only fix for IP Address revealing issue in HTTP headers. After installing the patch, you will need to configure the Web site for UseHostName or SetHostName. If you have host header configured on your Web site you use SetHostName such that host header is returned instead of IP Address.
Make sure there is no redirect happening on any page. Take a network trace and see the request, for a redirect you will see 302 Object moved.
Hope this helps.
Solution 3
Where is this header coming from to begin with? According to that MSDN article (and my quick test), ASP.NET does not add a content-location header by default.
I think you have something configured incorrectly.
Related videos on Youtube
saille
Updated on September 17, 2022Comments
-
saille over 1 year
Referring: http://support.microsoft.com/kb/q218180/, there is a known issue in IIS4/5/6 whereby it will reveal the internal IP of a web server in the content-location field of the HTTP header.
We have IIS 6. I have tried the fix suggested, but it has not worked. The website is configured to send all requests to ASP.NET, and I am wondering if this is why the fix, which addresses IIS configuration, has not worked for us.
If this is the case, how would we fix this in ASP.NET?
We need to fix this issue in order to pass a security audit.
-
I.T. Support over 13 yearsI have the EXACT same issue: IP address is revealed in the content-location field in the TCP header in IIS 6.0 We're trying to pass compliance as well. I think the issue is that according to the KB you're supposed to apply the latest service pack, then apply a microsoft "hot fix" which you can only obtain by contacting technical support. Also the KB mentions something about what might be a an IIS tweak to get things operational: "After the service pack, set either the UseHostName property or SetHostName property on the site if you want an alternate host name to be sent for requests"
-