Possible internal IP address disclosure, this information can be used to conduct further attacks.
It is possible that in a system or application error; an internal IP address is revealed. The problem with sending location information as part of the response, however, is that in some cases that location information could reveal more to end-users than is necessary for the user to get the web page they’re looking for.
Microsoft IIS Internal IP Address Disclosure Vulnerability
HEAD /directory HTTP/1.0[CRLF]
[CRLF]
or
PROPFIND / HTTP/1.1
Host:
Content-Length: 0
Also knowing IP could enable an attacker to exploit server configuration settings; if not configured securely for internal external network users. Also via IP attackers could exploit its OS and other patch level vulnerabilities to gain server access as admin or other user.
Modify the Apache configuration file as follows:
- Set "ServerName" to a proper FQDN.
Or
- Use module mod_rewrite to modify the 3xx error message returned by the server.
if the aws elb is passing host as IP force redirect to domain
this is for pci fixes
if ($host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
rewrite ^/(.*) $scheme://www.somewebsite.com/$1 permanent;
}
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
