LM-3000 Fails PCI Compliance when using http -> https redirects

0

When following the instructions at:

https://support.kemptechnologies.com/hc/en-us/articles/201849193-How-can-I-redirect-traffic-from-HTTP-to-HTTPS-

to use the Kemp LM-3000 for http -> https redirect (302 -> https://%h%s) PCI Compliance scanning fails with the message "internal ip disclosure vulnerability". When a query is sent over HTTP 1.0 with a blank Host Header the Kemp redirect responds with the internal IP address as the Location header.

 

1 comment

Avatar
0
Mark Deegan

Hello,

have you seen this article?

https://support.kemptechnologies.com/hc/en-us/articles/203522429-Mitigating-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects

You can also change the redirect to be to a URL instead of https://h%/s%  This could be sent to https://www.yourdoamin.com/s%

regards

Mark