The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

w3svc/UseHostName value in the metabase from False to True

Discussion in 'General Discussion' started by chrisp8756, Jul 24, 2011.

  1. chrisp8756

    chrisp8756 Registered

    Joined:
    Jul 24, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I'm going through a PCI compliance test and this is one of their request I have to change on my server. Can some one tell me how I would go about doing this? This looks like a windows server issue.. But my server is a Linux WHM server. So I'm clueless what I'm supposed to do. Any suggestions would be great.
    --
    Description: Web Server Internal IP address or network name available domainname.comXXX.XXX.XX.xxLi nux 2.6.8Jul 24 01:17:49 2011newSeverity: Area of Concern CVE: CVE-2000-0649 CVE-2002-0419 5.02737new11Impact: An attacker could determine information about your internal network structure from information in http headers. Background: Information on the machine which a web server is located is sometimes included in the header of a web page. Under certain circumstances that information may include local information from behind a firewall or proxy server such as the local IP address. Resolution For IIS 4.0, 5.0 or 5.1, fix as designated in [Internet Information Server returns IP address in HTTP header (Content-Location) /] Q218180 by changing the he w3svc/UseHostName value in the metabase from False to True. For IIS 6.0, fix as designated in []FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0 834141. For other web servers, contact the vendor. Vulnerability Details: Service: http Received: HTTP/1.1 302 Found Date: Sun, 24 Jul 2011 07:03:11 GMT Server: Apache X-Powered-By: PHP/5.2.17 Location: http://www./index.html Set-Cookie: PHPSESSID=faab7718a713ef7f0b96bbef4cb2c2c 0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You appear to have opened up ticket 1765721 in regards to this same issue. The recommendations there were to contact the PCI company to get more details on how to resolve this in Linux, since it is mainly picking up CVE issues with Windows rather than Linux.

    The fact that there are no reports for this vulnerability for Linux in an online search and all pull up IIS, it seems that the PCI company would either need to consider this a false positive or provide the steps in Linux to resolve the issue.
     

Share This Page