HTTP_HOST and SERVER_NAME Security Issues | Blog | ExpressionEngine

Many PHP sites rely upon the HTTP_HOST or SERVER_NAME variable to define the domain for any URLs. For example: That URL would render as whatever domain you’re on, followed by /blog. That’s…

Source: HTTP_HOST and SERVER_NAME Security Issues | Blog | ExpressionEngine

—- excerpt below —–

The Resolution

Fixing this is actually pretty simple, if not a little inconvenient. First, if you’re using one of the above packaged solutions, check with the provider first to see if they have updated. We contacted everyone above to let them know about the vulnerability.

If they haven’t yet updated or you’ve created your own solution, you should look through your code and find any uses of $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME'] and make sure that you never display it on your site.

In an ExpressionEngine site, you’re most likely to find $_SERVER['HTTP_HOST'] in a config file, doing something like the following:

$config['site_url'] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php';
$config['cp_url']   = 'http://' . $_SERVER['HTTP_HOST'] . '/system/index.php';

Simply change any of those instances to your domain:

$domain = 'example.com';
$config['site_url'] = 'http://' . $domain . '/index.php';
$config['cp_url']   = 'http://' . $domain . '/system/index.php';

When dealing with multiple environments, you can use $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME'], but only to check which domain you’re on and then manually set the correct URL. You could keep it simple with an array of valid domains:

$domains = array('domain.com', 'dev.domain.com', 'staging.domain.com', 'localhost');
if (in_array($_SERVER['HTTP_HOST'], $domains))
{
    $domain = $_SERVER['HTTP_HOST'];
}
else 
{
    $domain = 'localhost';
}

Or if you have other values and settings you might make based upon the domain, you could use a switch statement:

switch ($_SERVER['HTTP_HOST']) {
    case 'domain.com':
        $domain = 'domain.com';
        break;
    case 'dev.domain.com':
        $domain = 'dev.domain.com';
        break;
    case 'staging.domain.com':
        $domain = 'staging.domain.com';
        break;
    default:
        $domain = 'local.domain';
        break;
}

Alternatively, if you’re using Master Config you can use the changes we’ve submitted.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s