Howto: Fix Microsoft IIS Internal IP Address Disclosure Vulnerability With Scripts

What is  IP Address Disclosure?

It is usually a bullshit “vulnerability” that firms will mention if they can’t find anything else to report

How do you fix it without wasting 10 years of your time?

First, we need to find out the site IDs for all the websites on a given windows server (i am assuming windows server 2003 here). Create this batch file  c:\admin\list_site_ids.bat (you can mkdir  c:\admin if you don’t have it) to grab the site IDs and write them to a file called site_ids.txt.  Here is the batch file contents:

@echo Script starting
iisweb.vbs /query >> C:\admin\site_ids.txt
@echo Script complete

You can then write a batch file to use the ‘SetHostName’ function of the adsutil.vbs utility on the server to make sure the host name is set to a text url rather than divulging an internal IP address:

*Don’t forget to replace (id of site) with an ID from site_ids.txt*

cd \
cd ..
cd \
cd inetpub
cd AdminScripts
cscript adsutil.vbs set w3svc/(id of site)/SetHostName

Leave a Reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>