Viewing 1 replies (of 1 total)
  • Plugin Author invisnet

    (@invisnet)

    The Host header is defined in section 14.23 of RFC 2616 as:

    Host = "Host" ":" host [ ":" port ] ; Section 3.2.2

    Section 3.2.2 of RFC 2396 defines host as:

    hostport = host [ ":" port ]
    host = hostname | IPv4address
    hostname = *( domainlabel "." ) toplabel [ "." ]
    domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
    toplabel = alpha | alpha *( alphanum | "-" ) alphanum

    In other words, if $_SERVER['HTTP_HOST'] ever contains something other than a valid hostname there’s a bug in the web server.

    So, while it’s true that the client can change the Host header to whatever they want, typically it must match the name of a virtual server, and even in a brain-dead catch-all configuration the web server should reject invalid hostnames.

    tl;dr: no, it’s not a security risk.

Viewing 1 replies (of 1 total)
  • The topic ‘HTTP_HOST’ is closed to new replies.