Forum Discussion
eng_mohamadawad
Nimbostratus
NimbostratusThreat :Microsoft IIS is exposed to an Internal IP Disclosure Vulnerability
Dears ;
we have the below threat by PCI on OWA , we are using F5 11.6 + hotfix 4 , please how can F5 help to close this issue :
"THREAT: Microsoft IIS is exposed to an Internal IP Disclosure Vulnerability When sending a specially crafted GET request to the web server with empty host header using web protocol HTTP/1.0, the internal address of the underlying web server is sent back in the response to the query IMPACT: If this vulnerability is successfully exploited, attackers can obtain the internal address of the underlying web server. SOLUTION: There are no vendor supplied patches available at this time. RESULT: HTTP/1.1 401 Unauthorized Content-Type: text/html WWW-Authenticate: Basic realm=""172.20.14.31"" X-Powered-By: ASP.NET Date: Thu, 02 Jul 2015 17:11:13 GMT Connection: keep-alive Content-Length: 1293 Set-Cookie: TS0120d06e=01022a5b9de07bdaa238fa54ef512bec5b0f4c8a2c81f813336fedbfc4cdf502a92b6a65e8; Path=/ Set-Cookie: TS0120d06e_28=01c45154303707b3459c2c178f3ea26d7e351eb4af168bb23489dd346abca7ae45 9d6fc49e6204d416bad58e47411b94c4eb578e15; Path=/ http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd""> http://www.w3.org/1999/xhtml"">
Server Error
401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied. GET /Microsoft-Server-ActiveSync/default.eas HTTP/1.0 Host:"
- Kevin_Stewart
Employee
Maybe the easiest solution is to prevent empty HTTP/1.0 Host headers from getting to IIS:
when HTTP_REQUEST { if { [HTTP::version] eq "1.0" } { if { not ( [HTTP::header exists Host] ) or ( [HTTP::header Host] eq "" ) } { HTTP::header replace Host "somehost" } } } - Kevin_Stewart
Copy this code and paste it into a new iRule in the BIG-IP management GUI. It's the iRules section under Local Traffic. Once you've created the iRule, go to the virtual server configuration, go to its resources tab, and then add the iRule to the VIP config there. You may also need an HTTP profile applied to the VIP if you don't already have one there.
