PCI Security Scan Failure

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
User avatar
calvis
Rear Admiral (RADM)
Rear Admiral (RADM)
Posts: 710
Joined: Tue Jan 27, 2004 3:57 pm
Location: Redmond, WA

PCI Security Scan Failure

Post by calvis » Mon Oct 15, 2018 11:24 am

Hi There,

We are all of suddenly failing our PCI Security Scan with Security Metrics. Nothing has changed other than forcing our store to use https. Anyone know what the culprit might be? It's leaking our private IP address in the headers.

This is the error message I am getting.

Title:
Web Server HTTP Header Internal IP Disclosure
Synopsis:
This web server leaks a private IP address through its HTTP headers.
Impact:
This may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.
There is a known issue with Microsoft IIS 4.0 doing this in its default
configuration. This may also affect other web servers, web applications,
web proxies, load balancers and through a variety of misconfigurations
related to redirection. See also : http://www.nessus.org/u?fe24f941
http://support.microsoft.com/default.as ... US;Q218180
http://support.microsoft.com/default.as ... -US;834141
Resolution:
None
Data Received:
When processing the following request : GET / HTTP/1.0 this web server
leaks the following private IP address : 10.100.0.200 as found in the
following collection of HTTP headers : HTTP/1.1 301 Moved
Permanently Content-Type: text/html; charset=utf-8 Location:
https://10.100.0.200/ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET
Date: Thu, 11 Oct 2018 23:14:20 GMT Connection: close Content-Length:
138
CVE Score Vector
CVE-2000-0649 4.0 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Able Customer Since 1999 Currently Running on GOLD R12 SR1 and PCI Certified.

Post Reply