Solved

Penetration test revealed - Web server unknown location redirect uses private IP address

Posted on 2011-03-03
3
431 Views
Last Modified: 2012-05-11
An auditor did a penetration test of our network and recommended we correct the following.

Following is exactly what they wrote....no more no less. I'm a little confused and I need to correct it today.

'Web server - unknown location redirect uses private IP address'
0
Comment
Question by:bernardb
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
strickdd earned 500 total points
ID: 35030101
This means that one of you server redirects is not using the domain or relative path to send the request from one site to another. Instead it is using the IP address of the server. This can occur with an IIS redirect or potentially redirecting to an error page.

I would suggest asking for the description and documentation from the testing tool about this error message to figure out what it means for the tool. I would also get the result from the test that should contain what the test was doing and where it was redirecting to.
0
 

Author Comment

by:bernardb
ID: 35031092
More info...it says the following

"Web server discloses private IP address
The web server is located behind a firewall. The firewall translates the public IP address of the web server (63.xxx.xxx.xxx) to a private IP address (10.xxx.xxx.xxx).
When the web server handles a request for an unknown location, it will redirect the browser to another location. This location includes the private IP address of the web server."

xxxxxxxx

The information provided by the web servers can be used by an attacker to enhance the effectiveness of as-yet unknown vulnerabilities.

xxxxxxxx

Your company should configure the web server to use the hostname  when redirecting browsers (instead of the IP address).
0
 

Author Comment

by:bernardb
ID: 35031318
No other responses? This is the info given to us by the auditors
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
Learn about cloud computing and its benefits for small business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now