0

I'm trying to compare the HTTP_HOST with my domain name which failed. Struggling to find out what causes this, I tried to print the length of it. To my surprise it outputs the length of my actual domain name (although I am using a web proxy).

Using strlen I would receive the same length as in this var_dump() output (showing only what's necessary):

["HTTP_HOST"]=>
string(12) "mydomain.com.s48.wbprx.com"
["SERVER_NAME"]=>
string(12) "mydomain.com.s48.wbprx.com"

My original domain was replaced with mydomain.com including the length of the string.

I am very stunned, how come I can print the string using echo and see it in its whole, but not get the string length? Even when I did str_replace('.','', $str) it would return me "mydomaincom"

If it is to any help my website also uses the following htaccess code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# Removes .php
RewriteCond $1 !\.(gif|jpe?g|png|bmp)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ $1.php [L]
</IfModule>

I've tried with both .php and without. Same result.

This result was produced using: https://incloak.com/

My PHP version is 5.3.14 if that would make any difference.

Colandus
  • 1,634
  • 13
  • 21
  • 1
    I dont see the output of the strlen() echo? – Martijn Oct 01 '13 at 17:14
  • @Martijn Indeed, I did not formulate myself properly. The length given by strlen was the same as in the var_dump – Colandus Oct 01 '13 at 17:16
  • @Jakub Do you not see the var_dump output? The length says 12, even though it should be as the full string? "mydomain.com.s48.wbprx.com" – Colandus Oct 01 '13 at 17:18
  • Before passing parameter to `strlen`, you should always pass it to `trim` first. Try this, `strlen(trim($string))` – Shakil Ahamed Oct 01 '13 at 17:21
  • does this help => http://stackoverflow.com/questions/2297403/http-host-vs-server-name – Jakub Oct 01 '13 at 17:22
  • @silentboy this is clearly not the issue here. Rather, the string is outputted as something but is really something else is how it seems to me. – Colandus Oct 01 '13 at 17:22
  • 1
    I think the point you are trying to make, is that you're saying that the string is 26 characters, but is only reporting a length of 12. Correct? What happens when you `$hh = $_SERVER['HTTP_HOST']; var_dump($hh);` ? – Jacob S Oct 01 '13 at 17:24
  • @JacobS Indeed. I've tried that as well with no success. If I attempt to print `$_SERVER['HTTP_HOST']` it will show me the full string, however, trying to compare it to another string or print the length of the string will always show me the same length as shown in the `var_dump`. – Colandus Oct 01 '13 at 17:27
  • What exactly do you want it to be, you want the length or string to be echo out ? – The Alpha Oct 01 '13 at 17:28
  • @RecoveringSince2003 I want to compare the string to my actual host. – Colandus Oct 01 '13 at 17:29
  • I have provided a link to the web proxy service I used for this. – Colandus Oct 01 '13 at 17:31
  • It would be much better to post exactly what you tried for comparing, post the real code that giving you unexpected result. – The Alpha Oct 01 '13 at 17:33
  • @RecoveringSince2003 Well it's only in a simple test document so it will be no more code than a basic if-statement. My initial tries were != and even !== but nothing seemed to work, so I decided to print the string and its length and even the `var_dump` which then surprised me. `if($_SERVER['HTTP_HOST'] != 'mydomain.com` is the comparison I made. If you cannot solve this it can be left behind us, I realized it will not work in the end anyway to achieve what I wanted. I still remain utterly curious though. – Colandus Oct 01 '13 at 17:36
  • Just out of curiosity, what happens when you `var_dump(utf8_decode($_SERVER['HTTP_HOST']))`? – Jacob S Oct 01 '13 at 17:44
  • @JacobS `string(12) "p5zsqypqy6u.qjtv.e.s30.wbprx.com"` A new proxy session, this time it doesn't even include my real host name. But yet, acts as it. My code contains nothing at all (that could possibly interfer), just the dump. – Colandus Oct 01 '13 at 17:54

1 Answers1

0

It looks like the internal length of the string stored by PHP is set to 12, but the actual string is much longer (and probably null terminated). Could this be a potential attack?

rich remer
  • 3,407
  • 2
  • 34
  • 47