For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gill_32697's avatar
Gill_32697
Icon for Nimbostratus rankNimbostratus
Mar 05, 2015

GET, provides a host name or an IP address in the response

We have a issue with some old Web Server Internal IP Address Disclosure, please see notes below. Is this something that can be fixed using the BigIP?

 

When Microsoft Internet Information Services (IIS) receives a GET request without a host header, the Web server may reveal the IP address of the server in the content-location field or the location field in the TCP header in the response. This problem occurs because when IIS receives a GET request that has no host header, IIS must provide a host name or an IP address in the response.

 

2 Replies

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Mar 05, 2015

    If you are only running the one site on the IP, which I assume you are since host headers would be required to run more than one, you can use a simple iRule like this to ensure the host header is passed back to your IIS server.

    when HTTP_REQUEST {
    HTTP::host www.mysite.com
}