w3svc/UseHostName value in the metabase from False to True


Jul 24, 2011
I'm going through a PCI compliance test and this is one of their request I have to change on my server. Can some one tell me how I would go about doing this? This looks like a windows server issue.. But my server is a Linux WHM server. So I'm clueless what I'm supposed to do. Any suggestions would be great.
Description: Web Server Internal IP address or network name available domainname.comXXX.XXX.XX.xxLi nux 2.6.8Jul 24 01:17:49 2011newSeverity: Area of Concern CVE: CVE-2000-0649 CVE-2002-0419 5.02737new11Impact: An attacker could determine information about your internal network structure from information in http headers. Background: Information on the machine which a web server is located is sometimes included in the header of a web page. Under certain circumstances that information may include local information from behind a firewall or proxy server such as the local IP address. Resolution For IIS 4.0, 5.0 or 5.1, fix as designated in [Internet Information Server returns IP address in HTTP header (Content-Location) /] Q218180 by changing the he w3svc/UseHostName value in the metabase from False to True. For IIS 6.0, fix as designated in []FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0 834141. For other web servers, contact the vendor. Vulnerability Details: Service: http Received: HTTP/1.1 302 Found Date: Sun, 24 Jul 2011 07:03:11 GMT Server: Apache X-Powered-By: PHP/5.2.17 Location: http://www./index.html Set-Cookie: PHPSESSID=faab7718a713ef7f0b96bbef4cb2c2c 0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-


Quality Assurance Analyst
Staff member
Oct 2, 2010
somewhere over the rainbow
cPanel Access Level
Root Administrator
You appear to have opened up ticket 1765721 in regards to this same issue. The recommendations there were to contact the PCI company to get more details on how to resolve this in Linux, since it is mainly picking up CVE issues with Windows rather than Linux.

The fact that there are no reports for this vulnerability for Linux in an online search and all pull up IIS, it seems that the PCI company would either need to consider this a false positive or provide the steps in Linux to resolve the issue.