Previous Next

• 08-15-2008, 8:25 AM

  e1ny Joined on 12-10-2007, 9:50 PM Posts 130

  can't surpress content-location header on HTTPS/IIS6? Reply Contact Hi All: I have a commerce site on an IIS6 server that's using scanalert (now mcafee) for security verification. The server is running 2003 sp2 with all current updates. The server is behind a Cisco PIX firewall with 1-to-1 NAT.  The web is running on it's own IP with its own SSL cert. Their website says the server is revealing the internal IP address, and pointed me to this solution: FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0 I've used adsutils.vbs to both "sethostname" and "usehostname" for the website, but mcafee still claimed the vulnerability was there. I finally set the hostheader value for the IP in ISM (for a single site running on a unique IP I usually just leave this blank), and while this seems to have fixed it for HTTP, mcafee claims the server is still revealing the IP over HTTPS. Is there any way to fix this problem, either at the firewall or on the server itself?

• 08-20-2008, 6:44 AM

  In reply to

  e1ny Joined on 12-10-2007, 9:50 PM Posts 130	Re: can't surpress content-location header on HTTPS/IIS6? Reply Contact Hi Everyone....any insights on how to block content-location header info for HTTPS requests?

• 08-29-2008, 11:20 AM

  In reply to

  taurusat Joined on 08-29-2008, 3:16 PM Posts 1	Re: can't surpress content-location header on HTTPS/IIS6? Reply Contact  Hi Einy, Even i am also having same problem with my website.I am also using Mcafee secure for my websites.I had fixed this error for http requests but still Mcafee shwing above message for HTTPS requests. Please let me know if you got any solution for this.   Thanks Taurusat

• 08-29-2008, 11:47 AM

  In reply to

  e1ny Joined on 12-10-2007, 9:50 PM Posts 130

  Re: can't surpress content-location header on HTTPS/IIS6? Reply Contact McAfee finally pointed me to a link on setting bindings for SSL by editing the metabase: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true The technote says you must use a wildcard cert, but I assume that's only if you need to support www.mysite.com and mysite.com. I'm already redirecting everything to www.mysite.com so hopefully this will work with a standard SSL cert.