PCI笔测试失败，内部IP暴露 [英] PCI Pen Test Failure, Internal IP Exposed

问题描述

我最近在PCI渗透测试中失败了，因为IIS在响应标头中包含了内部服务器IP地址.

该标头是否可以通过配置IIS删除，还是我必须在网站上编写代码才能将其从响应中删除?

更多信息:

它仅在查看文件夹时公开内部IP，不显示内容且不发送http主机头.

例如

https://mysite.com/images

Hi,

I''ve recently failed a PCI penetration test because IIS was including the internal Server IP address in the response header.

Is this header something that can be removed by configuring IIS or will I have to write code in my website to remove it from the response?

More information:

It only exposes the internal IP when viewing a folder, without content and without sending a http host header.

E.g.

https://mysite.com/images

推荐答案

我找到了解决方案.

我认为这是IIS 7中的错误?当请求目录而不是页面或某些静态内容时.服务器返回永久移动的HTTP301.

这包括位置响应标头，但是IIS在生成标头内容时无法使用alternateHostName.因此它恢复为内部IP.

发出这种请求的能力取决于IIS中的列表文件夹内容"权限.如果您在用户发出请求时拒绝相关安全性原则的许可，则服务器将返回HTTP 401未经授权的HTTP 401，该URL不包括位置标头，也不包含内部ip.

I found the solution.

I think it is a bug in IIS 7? When requesting a directory instead of a page or some static content. The server returns a HTTP 301 Moved Permanently.

This includes the Location response header, but IIS fails to use the alternateHostName when generating the header content. So it reverts back to the internal IP.

The ability to make this kind of request relies on the "List Folder Contents" permission within IIS. If you deny this permission to the relevant security principle when the user makes the request the server returns a HTTP 401 Unauthorized, which does not include the location header and as such the internal ip.

这篇关于PCI笔测试失败，内部IP暴露的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！