Skip to main content
This topic has been closed for replies.

9 replies

P
paule1234
Known Participant
November 12, 2010

It seems the issue was one of the IIS sites on the server did not have a host header bound to it's SSL port.  Now that the site is bound to a specific host header, IIS has no "default" SSL site to fall through to, so it returns the expected "400 Bad Request (Invalid Hostname)" error when the GET / HTTP/1.0 without a Host: parameter comes in.

FYI, the command to create the SSL binding is of the form:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc/123456/SecureBindings ":443:mysslsite.mydomain.com"

C
Coos
Inspiring
November 16, 2010

I have the same problem described here using CF 8.01 CU 4 on Windows 2003 and all securtity patches for CF and the OS. If I remove the IIS wildcard mapping to jrun_iis6_wildcard.dll the IP address is not disclosed. Interestingly, the MS article says this problem was fixed in Win2003 SP1. We have SP2 but the 2 files they reference in the article are later internal verision numbers than what we have on our server. Nothing appeared to fix the issue including reinstalling SP2, running the IIS Adminscripts or trying the suggestsions by everyone.

I was able to get around this issue using a free ISAPI rewrite filter on http://iirf.codeplex.com/. There are a few others around, but this one appears to work. There's a native 32 bit installer but the x64 version needs to be manually installed.

My Inetpub\wwwroot\Iirf.ini file contains the logic below. It basically redirects every HTTP 1.0 request to the desired url. You can choose www.google.com or whatever, but for testing mine is going to the root of my site. This may not work for you if you still need to process requests from very old browsers, but for me it's fine. We have UrlScan preventing downloads of .ini files so having the configuration file in the root of the web site is fine.

Also, it's probably a better idea to also include a section that catches missing host names in addition  to the HTTP 1.0 request, but my regex is rusty and this does the job.

##Iirf.ini

##RewriteLogLevel 4
##RewriteLog c:\windows\temp\iirf
##StatusUrl /iirfStatus

## if the request is HTTP 1.0, redirect. HTTP 0.9 and other weird ones fail with a 400.
RewriteCond %{SERVER_PROTOCOL} HTTP/1.0

##redirect to the root. The / is needed, otherwise the IP Address will be in the header.
##This may cause an endless loop but most browsers should stop the redirections after a
##certain amount of times.
RedirectRule ^/(.*)$ /

A
Anonymous
October 6, 2010

My solution has been to re-write all the CF functions in .NET and remove CF from the server.

S
Steve Sommers
Legend
October 6, 2010

Hmm. That seems like a costly solution if your web app is of any size.

A
Anonymous
October 6, 2010

Was not that big of a deal - we were .NET already and we had a job that ran on CF every night so it was just one module to replace.

Miguel-F
Miguel-F
Inspiring
October 6, 2010

Here is a link to the security document that Steve references.  Note, it is for CF9.

http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf

D
Community Expert
Dave WattsCommunity Expert
Community Expert
October 6, 2010

While it is for CF 9, much of the content is applicable to any recent version of CF.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Dave Watts, Eidolon LLC
L
lleshf
Participant
October 5, 2010

We are running into this exact same issue with CF9.

We did this on our Windows 2003 server

http://support.microsoft.com/kb/834141

and when I ran the PCI scan it still came up with the private IP in the HTTP headers. So I kept searching for a solution and found this.

http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-addre  ss-is-still-leaked-on-iis-server-even-after-applying-fix-834141.aspx

So it looks like CF is intercepting the HTTP GET command and displaying the HTTP header with the private IP address.

We can't delete the "wildcard ISAPI DLL" from IIS6 because CF will stop working. Did anyone ever come up with a solution to this huge problem? Thanks.

B
brian428
Participating Frequently
October 5, 2010

Did you try adding a default HTTP:Host header value in IIS, as the article

suggests?

L
lleshf
Participant
October 5, 2010

Yes I did that part and I tested it by deleting the jrun_iis_wildcard.dll from IIS6 and CF stopped working on the server. I ran the PCI scan and it came out fine I think because IIS then takes the request and since I configured it to display the server name it did display it instead of the IP.

I wish there was a setting in CF9 that tells it to display the server name instead of the IP for the GET HTTP command OR if it could just pass the GET HTTP request to IIS. Any other ideas would be greatly appreciated. Thanks!

J
Jochem van Dieten
Inspiring
August 22, 2009

1. The article you link already has the answer:

We can either ensure the HTTP client application includes a HTTP:Host header value in its request. (Actually HTTP:Host headers are required by the HTTP/1.1 specifications (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23) or write an ISAPI filter that blocks and rejects any incoming HTTP requests that do not include an HTTP:Host header.

So configure a Host header in your IIS website.

2. I fail to see where the PCI specifiction says said behaviour is non-compliant.

N
newfields2
Participant
August 22, 2009

Jochem,

You wrote:

>So configure a Host header in your IIS website.

I wish it was easy as that.

Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.

Enable the DLL and the private IP headers are leaked.

>2. I fail to see where the PCI specifiction says said behaviour is non-compliant.

That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.

It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.

The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.

"Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   " [More]

J
Jochem van Dieten
Inspiring
August 22, 2009

newfields2 wrote:

>So configure a Host header in your IIS website.

I wish it was easy as that.

Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.

Enable the DLL and the private IP headers are leaked.

[More]

So you are saying that with both a host header configured and the wildcard dll enabled, there is a leak. Can you show me the whole IIS configuration XML file?

The specific PCI rejection is below. [More]

That is not a PCI rejection. That is the output of some scanning tool. That output requires human interpretation.

If you were to run that scanning tool against our infrastructure you would see some IP addresses too. IP addresses that in reality are located on an entirely different continent.

N
newfields2
Participant
August 21, 2009

I have run across this exact same issue as bscenefilms

Assuming for the moment that there is no fix to that wildcard DLL, does anyone know how to create an "ISAPI filter that blocks and rejects any incoming HTTP requests that do not include an HTTP:Host header".

That appears to be the only work around I have come across after hours of tracking this down.

T
TLC-IT
Inspiring
August 20, 2009

PCI is a standard that was created by the industry, and it shows clearly that the people who helped to devise it were not extraordinarily technical people.  They identified a laundry-list of "every possible vulnerability they could think of," but there really isn't a sense of what is more crucial or less.  There also is no sense of a management strategy.

In contrast, I would recommend that you should spend some time studying, of all things, the HIPAA Act, which of course concerns healthcare.  My point is that this was an extremely well-reasoned piece of legislation in most respects, and the available material does talk quite extensively about the fact that security is an ongoing process as well as a thing that must now-and-forever be properly managed.

I don't know whether the retailer in question, in the recent mass-theft, was "PCI compliant" or not.  They may well could have been!  Yet they obviously were not secure.  Or maybe a better way to put it is, "whether or not they were 'secure,' the sensitive data nevertheless was successfully misappropriated in a felonious way."

"Your job isn't to mind or mend the fences.  Your job is to make sure that the horse-thieves don't get in and out with my prize race-horse."  To achieve that, you can't be staring mindlessly at fences all day.  You have to regard the entire farm, and you have to have a very comprehensive and manageable plan which can be second-nature even to the stable-boy who's not getting paid much more than minimum wage.  That guy with a magnifying glass is gonna find a defect in every single fence, but... the horse is still there, and the horse-thieves are not.

T
TLC-IT
Inspiring
August 20, 2009

Let's be realistic:  there is no "silver bullet."  It ain't Cold Fusion, and it ain't dot-Net.

If the issue of PCI Compliance is that "an internal IP-address is being leaked," first make sure that your software is up-to-date (i.e. convert to the latest ColdFusion and Windows versions and service-packs), then make sure that, even if an internal IP address is leaked, it cannot be accessed from the outside.  (I have never quite understood some of the "requirements," including this one. IP addresses can always be 'port-scanned' if you can get to the subnet, and they're quite useless if you can't.)


Nevertheless, whether or not you agree with Adobe or ColdFusion, "it's what you got," and any substantial conversion of any tool to another platform is always tantamount to "starting over from scratch."  You're just not gonna get that through the bean-counters (if they are any good at all at bean counting).  You've got millions of dollars invested in whatever you've got.  Scrapping it all, in pursuit of closing some very-tiny "hole" that it might not be possible for any real-world intruder to pass through, is just not gonna happen.

There are very fundamental reasons for "what all the fuss is about" vis-a-vis ColdFusion:  the total cost of ownership is much less than with other tools including dot-Net because of its declarative syntax and efficient, just-in-time implementation.  Maintaining a "web site" with most tools is actually a task of maintaining hundreds of hand-crafted computer programs, whereas ColdFusion uses a clever and transparent code-generator to give you the same "bang" for a lot less "buck."

S
SilentBob_secretfusion
Known Participant
August 20, 2009

Yes, no silver bullet exists, however coldfusion is the superior rapid development tool, hands down.

I am watching a project now flop and fail.  Millions poured into the project. Seven developers, hundreds of thousands in consultants, multiple OS and langagues later, and they still will not swallow their pride and admit they are clueless. Just pour more resources into the project. LOL.  I don't know who is funnier, management or the project team.

That is interesting regarding PCI and internal IP address requirements.  You are correct, if the security people are doing their jobs, it really doesn't matter.  If all ports and unrequired protocols are blocks, it shouldn't be a problem.  However, you can see how well PCI worked in the Homeland Credit Card processing situation.  Millions of credit cards stolen.

A
Anonymous
August 20, 2009

The guts of this particular issue is that If the internal IP addresses are disclosed to the outside world, then the well equipped hacker can break open the firewall/router and wreak havoc.  The problem appesars to be exposed on the platform concerned when a hacker sends in a request for an unspecified file type (one that iiS6 is not expressly configured to handle.).

In regards what the original guy indicated, the culprit appears to be this jrun wildcard DLL, and it just strikes me that I wonder what that is doing there anyway ?

My simplistic understanding is that CF consists essentially of an isapi filter that picks out all requests to .cfm and .cfc files and proceeds to process them

(by compiling them into java class files and then giving them to the JVM to execute)

In my (Vista - iis6) setup, I find there are several 'Handler Mappings' of type AboMapperCustom that direct execution to an IsAPIModule.  Most requests in which a file extension is specified  such as .cfm, .cfc, .jsp etc are directed to jrun_iis6.dll, and only one ( '*') is directed to jrun_iis6_wildcard.dll.

So this issue may still be a live one in the case of CF 8, unless of course, Adobe have boosted security in those handlers.

You have to ask what is that wildcard thing all about anyway ?  Why does it have to be there, and is it safe to remove it ?

Is it intended to support an isapi-redirector perhaps ?

S
SilentBob_secretfusion
Known Participant
August 18, 2009

This seems like an IIS issue.

Out of curiousity, how does PCI compliance relate to this issue?

A
Anonymous
August 18, 2009

This DLL:

C:\JRun4\lib\wsconfig\1\jrun_iis6_wildcard.dll

Violates PCI compliance by leaking the private IP address.  This is an issue with the DLL in question, not an IIS issue.  I was hoping to discover if there was an update to this DLL.  If not, I will have to redevelop the appplication that is dependent upon this DLL in .NET.

S
SilentBob_secretfusion
Known Participant
August 18, 2009

Interesting regarding the PCI compliance.

As for the security issue with JRun.  Adobe is falling apart.  This week the head of SANS came out and said you should use ADOBE products as little as possible because of the mulitiple on going security issues.

I cannot even get through to technical support any longer, I have been in queue for two days now.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices