Web Server HTTP Header Internal IP Disclosure
One of my virtual servers returns the vulnerability Web Server HTTP Header Internal IP Disclosure during a Nessus scan. Security is asking me to fix this but I am not sure how. I tried creating a traffic policy that looks for the user agent browser version but it did not work. Can I remediate this using a traffic policy or an irule? Results from the Nessus scan (I replaced internal ip with x):
Nessus was able to exploit the issue using the following request :
GET / HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
This produced the following truncated output (limited to 10 lines) :
------------------------------ snip ------------------------------
Location: https://x.x.x.x
Content-Length: 0
Set-Cookie: BIGipServersecuritycode_pool=!eqWzOV3gZ9FYUseX0oXX4p1/qldnSqlypGSckjlKQ4SixTXmSwQJ5JGJA+YkLWE6hOe7moh3oHoh8P8=; path=/; Httponly; Secure
X-FRAME-OPTIONS: SAMEORIGIN
------------------------------ snip ------------------------------