IIS leak internal IP, Again?

["wirepair" <wirepair () roguemail net>]

hi hi,
I'm not sure this has been mentioned before but I was scanning a IIS 5.0 box and i noticed when I request a directory
which has directory indexing disabled such as /pdf i get a different response than /pdf/. 
Now the reasoning is obvious (file vs dir); but whats interesting is that when I request /pdf/ I get the usual 403.
But when I access /pdf I get 
$ nc www.iisweb.com 80
GET /pdf HTTP/1.0

HTTP/1.1 302 Object Moved
Location: http://172.16.25.140/pdf/
Server: Microsoft-IIS/5.0
Content-Type: text/html
Content-Length: 148

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://172.16.25.140/pdf/";>here</a></
body>

This is *not* the same content-location bug that used to exist. This seems entirely seperate because IIS is trying
to forward you to the directory because you tried to access it as a file. Is this a configuration error? Can this
be easily changed to not leak the internal ip? I'd be amazed if no one has caught this before.. But
hey you never know.
Thanks,
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf