What is IP Address Disclosure?
It is usually a bullshit “vulnerability” that firms will mention if they can’t find anything else to report
http://www.securityfocus.com/bid/1499/discuss
How do you fix it without wasting 10 years of your time?
First, we need to find out the site IDs for all the websites on a given windows server (i am assuming windows server 2003 here). Create this batch file c:\admin\list_site_ids.bat (you can mkdir c:\admin if you don’t have it) to grab the site IDs and write them to a file called site_ids.txt. Here is the batch file contents:
@ECHO READY @echo Script starting iisweb.vbs /query >> C:\admin\site_ids.txt @echo Script complete pause
You can then write a batch file to use the ‘SetHostName’ function of the adsutil.vbs utility on the server to make sure the host name is set to a text url rather than divulging an internal IP address:
*Don’t forget to replace (id of site) with an ID from site_ids.txt*
@ECHO READY cd \ cd .. cd \ c: cd inetpub cd AdminScripts @ECHO STARTING SCRIPT cscript adsutil.vbs set w3svc/(id of site)/SetHostName www.mysite.com pause @ECHO SCRIPT COMPLETED