this isnt just for HTTPS... this can occur on plain HTTP also depending on how someone has setup. If you have an IIS web server you should not use "all ip addresses" for a web and instead pick the specific IP so that way IIS does not accidently return internal IP's etc.... Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Web Application Firewall || -----Original Message----- || From: marek_royat_private [mailto:marek_royat_private] || Sent: Tuesday, August 07, 2001 9:55 PM || To: bugtraqat_private || Subject: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 || || || GGS-AU / e-Synergies Security Advisory || August 8, 2001 || || Internal IP Address Disclosure in Microsoft-IIS 4.0 & || 5.0 || || Synopsis:
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:43:06 PDT