HTTP Private IP Disclosure

Overview

A Nessus vulnerability scan can come up for SFTP Gateway: https://www.tenable.com/plugins/nessus/10759

The Nginx configuration on SFTP Gateway can result in the disclosure of the private IP address.

This article walks you through remediating this vulnerability.

How to reproduce the issue

When accessing a URL that performs a redirect, Nginx returns a Location header that happens to disclose the private IP address of the server.

To reproduce this issue, run the following command from your workstation:

echo -ne "GET / HTTP/1.0\r\n\r\n" | nc 20.115.56.1 80

This command sends a GET request to the web server on port 80. (Make sure you replace the public IP with your own)

You will see the following response:

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 08 May 2024 15:12:43 GMT
Content-Type: text/html
Content-Length: 178
Location: http://10.0.0.9/index.html
Connection: close

<html>
<head><title>301 Moved Permanently</title></head>

Note that the server's private IP address is exposed in the Location header.

How to fix the issue

You want to add the line to your Nginx configuration:

server_name_in_redirect on;

Edit the website.conf file, located here:

/etc/nginx/conf.d/website.conf

Add the server_name_in_redirect directive somewhere within the port 80 server block:

server {
  listen 80;
  listen [::]:80;

  server_name 20.115.56.1;
  server_name_in_redirect on;
  ...
}

By default, the server_name is set to the wildcard character: _. Make sure you set this to the hostname of your server.

Finally, apply your changes:

sudo su
nginx -t && service nginx restart

Re-run your HTTP GET command, and you should see the server_name hostname appear in the Location header response.

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 08 May 2024 15:12:43 GMT
Content-Type: text/html
Content-Length: 178
Location: http://20.115.56.1/index.html
Connection: close

<html>
<head><title>301 Moved Permanently</title></head>