Internal IP Exposed
aerowolf at gmail.com
Tue Mar 26 03:09:31 UTC 2019
That's a configuration issue with the servers, not an issue with the
openssl command itself.
There's no information on what the back-end HTTP server software is
being used. If it were Apache, there would be a ServerName directive
that could change the server's idea of what name it should refer to
itself as. I don't have information on other server software
On Sun, Mar 24, 2019 at 7:34 PM Abdul Qoyyuum
<aqoyyuum at cardaccess.com.au> wrote:
> Hi all,
> New to the mailing list and a complete newbie to openssl and the likes. There's a ticket by a client that I'm new at and he claims that there's a security problem with the openssl command to his servers.
> Internal IP exposed after running a openssl (version 1.1.0j) connect command:
> openssl s_client -connect 103.XX.XXX.XX:10443 -quiet
> Where 103.XX.XXX.XX is a Public IP. And after it shows the certificates, typed the following:
> GET /images HTTP/1.0
> And hit enter twice, the following gets displayed:
> HTTP/1.0 301 Moved Permanently
> Date: Mon, 25 Mar 2019 00:10:13 GMT
> Server: xxxxxxxx-xxxxx
> Location: https://10.240.123.1:10443/images/
> Connection: close
> Content-Type: text/html; charset=utf-8
> X-Frame-Options: SAMEORIGIN
> Content-Security-Policy: frame-ancestors 'self'
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Strict-Transport-Security: max-age=28800
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <TITLE>301 Moved Permanently</TITLE>
> <H1>Moved Permanently</H1>
> The document has moved <A HREF="https://10.240.123.1:10443/images/">here</A>.<P>
> The 10.240.123.1 is an internal IP and it is exposed by this little method. Although not shown when using curl -kv -O command.
> Is there a way to cover up the "Location" or at least the internal IP from being exposed? Thanks.
> Sorry if this isn't clear or if this is the wrong place to ask this.
> Abdul Qoyyuum Bin Haji Abdul Kadir
> HP No: +673 720 8043
More information about the openssl-users