Nasser Heidari

2009-12-14

IIS reveal its internal IP in the Content-Location header via a request to the root file

Filed under: Security Tips and Issues — Nasser Heidari @ 06:29

It’s actually an easy fix. The appropriate Knowledge Base article is “FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0

1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:
%SYSTEMROOT%\Inetpub\AdminScripts
3. Type the following command, where x is your site identifier and hostname is the alternate host name that you want to use:
cscript adsutil.vbs set w3svc/x/SetHostName hostname

E.g:
cscript adsutil.vbs set w3svc/70762098/SetHostName linax.wordpress.com


How to find the your site identifier ???
In IIS 5 or 6, view the properties of the website and in the Web Site tab, click on the Properties button for the logging. At the bottom of the Extended Logging Properties window is the Log file name. It will be something like this: W3SVCXXXXX\exyymmdd.log.
XXXXX is your site identifier .

Disabling HTTP TRACE method in Apache and IIS

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 05:57

Apache

Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one.
But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily,
because there is a new apache variable that controls if TRACE method is enabled or not:

TraceEnable off

This needs to be added in the main server config and the default is enabled (on).
TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

Microsoft IIS

In Microsoft Windows TRACE is controlled by a registry key.
Create a DWORD value called EnableTraceMethod in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

This should be 1 for on, and 0 for off.

Enjoy!

Create a free website or blog at WordPress.com.