70
HTTP PROPFIND internal IP address leakage
HTTP
2004/03/22
Marc Ruef
marc dot ruef at computec dot ch
http://www.computec.ch
computec.ch
Marc Ruef
marc dot ruef at computec dot ch
http://www.computec.ch
computec.ch
2004/11/14
2.0
Optimized the pattern matching in version 1.2 enormously. Corrected the plugin structure and added the accuracy values in 1.3. Improved the pattern matching and introduced the plugin changelog in 2.0
tcp
80
open|send PROPFIND / HTTP/1.0\nHost:\nContent-Length: 0\n\n|sleep|close|pattern_exists HTTP/#.# ### *192.168.#* OR HTTP/#.# ### *10.#* OR HTTP/#.# ### *172.1[6-9].#* OR HTTP/#.# ### *172.2#.#* OR HTTP/#.# ### *172.3[0-1].#*
98
Check is copied from the Nessus plugin.
http://www.nextgenss.com/papers/iisrconfig.pdf
Microsoft Internet Information Server
Other web servers
Configuration
The remote web server leaks a private IP address through the WebDAV interface. If this web server is behind a Network Address Translation (NAT) firewall or proxy server, then the internal IP addressing scheme has been leaked. This is typical of IIS 5.0 installations that are not configured properly.
See http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180&ID=KB;EN-US;Q218180 for more details in MS IIS environments.
1 hour
Yes
Yes
Yes
Medium
7
7
5
7
Low
Nessus is able to do the same check.
CAN-2002-0422
12113
Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427
http://www.computec.ch
