Internet Information Server returns IP address in HTTP header (Content-Location) - Vulnerability Database

Internet Information Server returns IP address in HTTP header (Content-Location)

Description

Microsoft Internet Information Server (IIS) includes a Content-Location HTTP response header when serving static HTML files. By default, this header contains the server's internal IP address rather than its Fully Qualified Domain Name (FQDN) or hostname. This configuration issue causes the server to leak internal network information in normal HTTP responses.

Remediation

Configure IIS to use the hostname instead of the IP address in the Content-Location header by modifying the IIS metabase settings. This can be accomplished using the following methods:

Method 1: Using adsutil.vbs script

cscript.exe adsutil.vbs set /W3SVC/UseHostName True

Method 2: Direct metabase edit
1. Stop the IIS Admin Service
2. Open the MetaBase.xml file (typically located in C:\Windows\System32\inetsrv\)
3. Locate the IIsWebService element and add or modify:

<IIsWebService UseHostName="TRUE">

4. Save the file and restart IIS

After applying changes, restart IIS using

iisreset

Verify the fix by checking HTTP responses to ensure the Content-Location header uses the FQDN instead of the IP address.

References

IIS HTTP Host Header Injection Vulnerability Fix | Beyond Security

Related Vulnerabilities

Severity

Low

Classification

CWE-200

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N