Bugtraq mailing list archives

RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0

From: "Marc Maiffret" <marc () eeye com>
Date: Thu, 9 Aug 2001 13:22:39 -0700

this isnt just for HTTPS... this can occur on plain HTTP also depending on
how someone has setup. If you have an IIS web server you should not use "all
ip addresses" for a web and instead pick the specific IP so that way IIS
does not accidently return internal IP's etc....

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall

|| -----Original Message-----
|| From: marek_roy () hotmail com [mailto:marek_roy () hotmail com]
|| Sent: Tuesday, August 07, 2001 9:55 PM
|| To: bugtraq () securityfocus com
|| Subject: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
||
||
|| GGS-AU / e-Synergies Security Advisory
|| August 8, 2001
||
|| Internal IP Address Disclosure in Microsoft-IIS 4.0 &
|| 5.0
||
|| Synopsis:

Current thread:

Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Marek Roy (Aug 08)
- <Possible follow-ups>
- RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Marc Maiffret (Aug 09)
  - Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 H D Moore (Aug 10)
- RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Microsoft Security Response Center (Aug 09)