search

LDAPAccountManager / docker

Docker images for LAM
GNU General Public License v3.0
17 stars 3 forks source link

Docker lam 8.6 : apache Vulnerability - Web Server HTTP Header Internal IP Disclosure #4

Closed Nibeck1309 closed 5 months ago

Nibeck1309 commented 7 months ago

Description : `This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection.`

Output from most recent scan

Nessus was able to exploit the issue using the following request :

GET / HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

This produced the following truncated output (limited to 10 lines) :
------------------------------ snip ------------------------------
Date: Mon, 19 Feb 2024 01:09:00 GMT
Server: Apache/2.4.57 (Debian)
Location: http://172.20.0.2/lam/
Content-Length: 282
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

------------------------------ snip ------------------------------
gruberroland commented 7 months ago

What exactly is the issue here? The text is about IIS which is not in use at all. Please provide more details and the attack vector.

Nibeck1309 commented 7 months ago

Hello, The problem is as follows: `This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.

Apache returns the internal IP address in the location. this is an apache configuration problem.

Could you please do the necessary?

gruberroland commented 6 months ago

It seems that your instance is behind some proxy server that calls it with the internal IP. In this case, the proxy server needs to rewrite location headers to match the proper domain name.

Nibeck1309 commented 6 months ago

Our vulnerability scanner (tenable) scans directly on the docker server where our lam instance is deployed. The instance is not behind a proxy server

gruberroland commented 6 months ago

This explains why you get a redirect to an internal IP. You need to recheck if this also happens when you call the instance with its external DNS name.