Solved

Penetration test revealed - Web server unknown location redirect uses private IP address

Posted on 2011-03-03
3
432 Views
Last Modified: 2012-05-11
An auditor did a penetration test of our network and recommended we correct the following.

Following is exactly what they wrote....no more no less. I'm a little confused and I need to correct it today.

'Web server - unknown location redirect uses private IP address'
0
Comment
Question by:bernardb
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
strickdd earned 500 total points
ID: 35030101
This means that one of you server redirects is not using the domain or relative path to send the request from one site to another. Instead it is using the IP address of the server. This can occur with an IIS redirect or potentially redirecting to an error page.

I would suggest asking for the description and documentation from the testing tool about this error message to figure out what it means for the tool. I would also get the result from the test that should contain what the test was doing and where it was redirecting to.
0
 

Author Comment

by:bernardb
ID: 35031092
More info...it says the following

"Web server discloses private IP address
The web server is located behind a firewall. The firewall translates the public IP address of the web server (63.xxx.xxx.xxx) to a private IP address (10.xxx.xxx.xxx).
When the web server handles a request for an unknown location, it will redirect the browser to another location. This location includes the private IP address of the web server."

xxxxxxxx

The information provided by the web servers can be used by an attacker to enhance the effectiveness of as-yet unknown vulnerabilities.

xxxxxxxx

Your company should configure the web server to use the hostname  when redirecting browsers (instead of the IP address).
0
 

Author Comment

by:bernardb
ID: 35031318
No other responses? This is the info given to us by the auditors
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now