Symptoms
An internal IP address is shown in HTTP Via header when opening the link of provider or reseller brand https://cp.domain.tld/aps/2/resources/
.
The IP address or internal hostname obtained from the header allows an attacker to obtain technical information, which could be potentially used as a platform for further attacks.
Cause
Such behavior will be fixed in future in scope of the request APS-35995: Consider removal of "Via" Header in APS response, as it's claimed as insecure.
Resolution
Please contact your TAM or PTA to trace the status of APS-35995. For now the following workaround can be used to prevent the issue:
Check if
headers_module
is loaded:# httpd -M | grep headers_module
If not - include it into
/etc/httpd/conf/httpd.conf
(in case of NG hosting) or in/usr/local/pem/etc/apache/httpd.conf_pem
(in case of Legacy Shared Hosting):LoadModule headers_module modules/mod_headers.so
Disable header in
httpd.conf
:<IfModule mod_headers.c> Header unset Via </IfModule>
restart httpd service to apply changes:
a. in case of NG hosting:
# service httpd restart
b. in case of Legacy Shared Hosting:
# service pemhttpd restart