Support » Plugin: IP Based Login » dns-name instead of ip?

Viewing 1 replies (of 1 total)
  • Plugin Author brijeshk89

    (@brijeshk89)

    Hi,

    We evaluated this feature and our team says this could be insecure for your site.

    In order to determine the DNS record we need to use $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] variables in PHP.

    The $_SERVER[‘HTTP_HOST’] and $_SERVER[‘SERVER_NAME’] variables can be changed by the user by sending a different Host header when accessing the site:

    curl -H “Host: notyourdomain.com” http://yoursite.com/

    Doing that, any URLs that used $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] would use notyourdomain.com.

    So lets say you allow homeoffice1.noip.org to whitelist, some user could access your site by passing the header stating that they are accessing your site from homeoffice1.noip.org

Viewing 1 replies (of 1 total)
  • The topic ‘dns-name instead of ip?’ is closed to new replies.