Internal IP Address Exposed

I ran a nessus can against my ignition 7.3.1 gateway. This gateway is accessable from the Internet via a single port forward through the firewall.

Overall, I am happy with the results of the scan with one exception. For some reason the web server is exposing my internal IP address assigned to the gateway.

This is an excerpt from the report outlining this:

[quote]Web Server HTTP Header Internal IP Disclosure


f1This web server leaks a private IP address through its HTTP headers.
List of Hosts


Plugin Output

When processing the following request :

GET / HTTP/1.0

this web server leaks the following private IP address :

as found in the following collection of HTTP headers :

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 22 Nov 2011 18:21:07 GMT
Connection: close


f1This may expose internal IP addresses that are usually hidden or
masked behind a Network Address Translation (NAT) Firewall or proxy

There is a known issue with Microsoft IIS 4.0 doing this in its default
configuration. This may also affect other web servers, web applications,
web proxies, load balancers and through a variety of misconfigurations
related to redirection.



See also

f1 … 8/1/80.ASP

Risk Factor

f1Low/ CVSS Base Score: 2.6
CVSS Temporal Score: 2.6(CVSS2#E:H/RL:U/RC:C)


Bugtraq ID


Other References

Vulnerability publication date: 2000/07/13
Plugin publication date: 2001/09/14
Plugin last modification date: 2011/06/01
Ease of exploitability : No exploit is required

The only place that I see in my gateway configuration where this address is defined is under the OPC-UA Settings section under Endpoint Address.

Any thoughts?

Hope you have better than a 3-character password :smiling_imp:

As for your question… investigating. Will update when I know.

Was the scan run from inside the firewall?

Try changing the setting under the gateway configuration page->“Redundancy” link in the Configuration section. On that page, there is a section labelled “Network Settings”. There you can remove the autodetection of the network interface and HTTP interface. You’ll want to manually enter the public facing IP address.

I’m not 100% sure that this will remove the internal listing from your scans. Please let us know what you see. Thanks!