Howto: Fix Microsoft IIS Internal IP Address Disclosure Vulnerability With Scripts

What is  IP Address Disclosure?

It is usually a bullshit “vulnerability” that firms will mention if they can’t find anything else to report

How do you fix it without wasting 10 years of your time?

First, we need to find out the site IDs for all the websites on a given windows server (i am assuming windows server 2003 here). Create this batch file  c:\admin\list_site_ids.bat (you can mkdir  c:\admin if you don’t have it) to grab the site IDs and write them to a file called site_ids.txt.  Here is the batch file contents:

@echo Script starting
iisweb.vbs /query >> C:\admin\site_ids.txt
@echo Script complete

You can then write a batch file to use the ‘SetHostName’ function of the adsutil.vbs utility on the server to make sure the host name is set to a text url rather than divulging an internal IP address:

*Don’t forget to replace (id of site) with an ID from site_ids.txt*

cd \
cd ..
cd \
cd inetpub
cd AdminScripts
cscript adsutil.vbs set w3svc/(id of site)/SetHostName

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>