IIS 6.0 leaks internal IP address in Content-Location header -- iis security

Andrew Head
7/28/2006 8:48:04 AM

Hello,

I have an IP leak problem running IIS 6.0 on W2K3 SP1. I have followed
recomendations in KB218180 and KB834141 and configured SetHostName so that
my websites do
not return internal IP addresses. I have also configured host headers for
my websites.

But, my server still returns a private IP in the response to the following
request:
HEAD / HTTP/1.0

I can't find any other solutions beyond the above. Does anyone have any
suggestions?

Daniel Crichton
7/31/2006 12:14:39 PM

[quoted text, click to view]

KB218180 is for IIS4 and IIS5.

KB834141 is for IIS6, but also requires the hotfix. However, that hotfix is
pre-SP1 - SP1 includes newer versions of both of those files.

I remember going through both of those articles, and some others. If I
remember, I'll post details. As of right now, there is no Content-Location:
header returned by my sites - and I don't have a custom ISAPI dll installed.

Dan

iis security : IIS 6.0 leaks internal IP address in Content-Location header