HTTP Private IP Disclosure
Overview
A Nessus vulnerability scan can come up for SFTP Gateway: https://www.tenable.com/plugins/nessus/10759
The Nginx configuration on SFTP Gateway can result in the disclosure of the private IP address.
This article walks you through remediating this vulnerability.
How to reproduce the issue
When accessing a URL that performs a redirect, Nginx returns a Location
header that happens to disclose the private IP address of the server.
To reproduce this issue, run the following command from your workstation:
echo -ne "GET / HTTP/1.0\r\n\r\n" | nc 20.115.56.1 80
This command sends a GET
request to the web server on port 80
. (Make sure you replace the public IP with your own)
You will see the following response:
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 08 May 2024 15:12:43 GMT
Content-Type: text/html
Content-Length: 178
Location: http://10.0.0.9/index.html
Connection: close
<html>
<head><title>301 Moved Permanently</title></head>
Note that the server's private IP address is exposed in the Location
header.
How to fix the issue
You want to add the line to your Nginx configuration:
server_name_in_redirect on;
Edit the website.conf
file, located here:
/etc/nginx/sites-available/website.conf
Add the server_name_in_redirect
directive somewhere within the port 80 server block:
server {
listen 80;
listen [::]:80;
server_name 20.115.56.1;
server_name_in_redirect on;
...
}
By default, the server_name
is set to the wildcard character: _
. Make sure you set this to the hostname of your server.
Finally, apply your changes:
sudo su
nginx -t && service nginx restart
Re-run your HTTP GET command, and you should see the server_name
hostname appear in the Location
header response.
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 08 May 2024 15:12:43 GMT
Content-Type: text/html
Content-Length: 178
Location: http://20.115.56.1/index.html
Connection: close
<html>
<head><title>301 Moved Permanently</title></head>