1

We are working on obtaining PCI compliance for our e-commerce website with securitymetrics.com One last item that keeps coming up is as follows:

Synopsis : This web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection. See also : http://support.microsoft.com/support/kb/ articles/Q218/1/80.ASP

I have implemented the changes in the MetaBase by using the adsutil.vbs script that are documented in the KB articles and have also verified these changes by using the IIS6 metabase explorer, however we continue to fail on this item.

We are reverse hosting this site through a Fortinet firewall.

Any suggestions on something that I may be missing?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • I am curious why this is a problem for the security auditors. What is the exposure from an outsider knowing the internal IP? – tomjedrz Aug 11 '09 at 23:48
  • 2
    You'd have to understand PCI compliance before realizing that this is part of the requirements to pass. – David Rickman Aug 12 '09 at 00:12
  • 1
    Because when an internal IP address is leaked, you've given attackers a little extra knowledge to craft attacks with. – K. Brian Kelley Aug 12 '09 at 14:55

2 Answers2

1
  • We are reverse hosting this site through a Fortinet firewall.

Do you mean port forwarding?

What version of IIS are you running?

Have you restarted the IISadmin process after configuring the changes?

side question: Is there anything stopping you from hosting this in a DMZ?

David Rickman
  • 3,290
  • 17
  • 16
  • +1 for mentioning DMZ - that's exactly where this webserver should be. Not on the production wire. – Izzy Aug 12 '09 at 01:38
  • The site has an internal local LAN IP address that is virtually mapped (the Fortinet calls it 'Virtual IP Mapping') to an external public IP address. The checkbox for 'Port Forwarding' is not checked in the Virtual IP Mapping in the Fortinet. I've restarted IIS and have even restarted the box. DMZ or no DMZ, IIS is still returning the IP address (public or otherwise) that the site is bound to. I appreciate the help and feedback. –  Aug 12 '09 at 14:52
0

Have you connected directly to the web server so that you don't go through the firewall? For instance, telnet to port 80 and issue the proper HTTP/1.0 GET request. The reason I ask this is we had a problem where we were getting flagged even though we had made the changes in IIS. However, we were able to show it was the load balancer doing it because when we telneted straight in and issued the GET request manually, bypassing the load balancer, we got the servername instead.

K. Brian Kelley
  • 9,004
  • 31
  • 33