cancel
Showing results for 
Search instead for 
Did you mean: 

Web Server HTTP Header Internal IP Disclosure

jmasgalas
Nimbostratus
Nimbostratus

One of my virtual servers returns the vulnerability Web Server HTTP Header Internal IP Disclosure during a Nessus scan. Security is asking me to fix this but I am not sure how. I tried creating a traffic policy that looks for the user agent browser version but it did not work. Can I remediate this using a traffic policy or an irule? Results from the Nessus scan (I replaced internal ip with x):

 

Nessus was able to exploit the issue using the following request :

 

GET / HTTP/1.0

Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1

Accept-Language: en

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Pragma: no-cache

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

 

 

 

 

This produced the following truncated output (limited to 10 lines) :

------------------------------ snip ------------------------------

Location: https://x.x.x.x

Content-Length: 0

Set-Cookie: BIGipServersecuritycode_pool=!eqWzOV3gZ9FYUseX0oXX4p1/qldnSqlypGSckjlKQ4SixTXmSwQJ5JGJA+YkLWE6hOe7moh3oHoh8P8=; path=/; Httponly; Secure

X-FRAME-OPTIONS: SAMEORIGIN

 

 

------------------------------ snip ------------------------------

5 REPLIES 5

they are refering to the easily to decode cookie BIGipServersecuritycode_pool , once decode you'll see the pool member IP address.

Easy solution is to encrypt the cookie.

 

Have a look into this great github page:

https://github.com/dnkolegov/bigipsecurity#persistence-cookie-information-leakage

jmasgalas
Nimbostratus
Nimbostratus

I am using an encrypted cookie. I also tried removing the server agent name from the http profile. Nessus still detects the location IP.

if the problem is the Location header that expose an IP address you can try with a simple irule that will rewrite the Location, for example:

 

when HTTP_RESPONSE {

  if { [HTTP::header is_redirect]} {

    HTTP::header replace Location [string map -nocase {1.1.1.1 www.something.com} [HTTP::header value Location]]

  }

}

 

But you can implement something similar using an LTM policy.

 

 

jmasgalas
Nimbostratus
Nimbostratus

Thanks for the reply. I did create the irule but Nessus is still detecting the same vulnerability. This is frustrating to say the least.

 

Here is my irule:

 

when HTTP_RESPONSE {

 if { [HTTP::header is_redirect]} {

  HTTP::header replace Location [string map -nocase {1.1.1.1 securitycode.summithealth.org} [HTTP::header value Location]]

 }

}

 

I then tried something similar using a policy:

 

http header named Content-Location contains any of x.x.x.x at response time.

Replace http header named Content-Location with value securitycode.summithealth.org at response time.

 

Still not resolved.

jmasgalas
Nimbostratus
Nimbostratus

I was able to work around this by implementing the below irule but then the application breaks. Anyone have any ideas on how to remediate the vulnerability but keep the web site working?

 

when HTTP_RESPONSE {  

   if { [HTTP::header is_redirect]} {  

    HTTP::header replace Location \  

      [string map -nocase "https://x.x.x.x/vipssp/ https://securitycode.summithealth.org/vipssp/" [HTTP::header value Location]]  

   }  

 }