Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

FIX: The internal IP address of an IIS 7.0 server is revealed if an HTTP Request that does not have a Host header or has a NULL Host header is sent to the server

View products that this article applies to.


Consider the following scenario:

  • An HTTP Request that does not have a Host header or that has a NULL Host header is sent to an Internet Information Service (IIS) 7.0 server.
  • An ISAPI filter is configured in IIS 7. The ISAPI filter calls the GetServerVariables(servername) function during an SF_NOTIFY_PREPROC_HEADERS notification.
In this scenario, the internal IP address of the server is returned to the client in an HTTP response.

  • In some cases, IIS 7.0 server may be flagged as "insecure" by security scanning tools if internal IP address of the server is revealed.
  • SF_NOTIFY_PREPROC_HEADERS notifications occur for each request. These notifications indicate that the server has completed preprocessing of the headers associated with the request, but has not begun to process the information in the headers.
  • Web browsers that use HTTP/1.1 must include a Host header when the browser sends an HTTP request. Therefore, this scenario occurs most frequently when the HTTP request is not sent by a Web browser or when it is sent by a Web browser that uses HTTP/1.0.

↑ Back to the top


The issue occurs because SF_NOTIFY_PREPROC_HEADERS is called before IIS reads the alternateHostName property in the configuration data. Therefore, IIS can only return the IP address of the server.

If the request contains a Host value and the GetServerVariables(servername) call is made in SF_NOTIFY_PREPROC_HEADERS, SERVER_NAME will contain the value of the client's Host header.

↑ Back to the top


Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.


You must have Windows Vista Service Pack 1 or Windows Server 2008 installed to apply this hotfix.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
IIS 7.0, x86
File nameFile versionFile sizeDateTimePlatform
IIS 7.0, x64
File nameFile versionFile sizeDateTimePlatform
IIS 7.0, IA64
File nameFile versionFile sizeDateTimePlatform

↑ Back to the top


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about ISAPI Filter Event Order, visit the following Microsoft Web site:For more information about Request-Processing in IIS 7, visit the following Microsoft Web site:

Note Because the alternateHostName property is used to stop the internal IP address of the server from being revealed, you should also set a value for alternateHostName when you install this hotfix. To set the alternateHostName value, execute the following command:
appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"<Server Name>"  /commit:apphost
For more information about IIS 7.0 serverRuntime Element, visit the following Microsoft Web site:

↑ Back to the top


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbhotfixserver, kbautohotfix, kbexpertiseadvanced, kbqfe, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 967342
Revision : 4
Created on : 9/26/2018
Published on : 9/26/2018
Exists online : False
Views : 379