1

I'm creating a web app that has many domains pointing to the same app, but the content displayed will depend on the domain used to reach the app.

I am currently using 

$_SERVER['HTTP_HOST']

to get the the domain and pull in the correct content.

I read this is not safe, because

The client can set HTTP_HOST to any arbitrary value it wants

from Get the full URL in PHP

How is this possible and how can I protect against this?

Community
  • 1
  • 1
Simian
  • 814
  • 11
  • 21
  • It is safe if you configure virtual hosts in a way to make sure your php is served from and only from known hostname http://stackoverflow.com/questions/10350602/how-safe-is-serverhttp-host/10350718#10350718 – maalls Apr 25 '15 at 19:21

2 Answers2

1

Using HTTP_HOST in a comparison statement such as IF is perfectly fine. You would only start to run into problems if you use the HTTP_HOST data directly into a method which requires sanitized data such as a SQL query string, as the user could malform the header to perform SQL Injection

If the user malforms the host header, and you have an IF comparison such as if($_SERVER['HTTP_HOST'] == 'www.google.com') then changing it would not do anything useful for a malicious user. If you controlled the context through that header, then it would simply not print anything

See this answer for more details

Community
  • 1
  • 1
gsp8181
  • 358
  • 1
  • 2
  • 11
  • I think the concern here is more about the authenticity of the HTTP_HOST value rather than trying to inject code. – maalls Apr 25 '15 at 19:23
  • Indeed it can be spoofed by the user, if it's simply a matter of redirecting the user to appropriate content then it should be fine. If you used it as a switch statement, it would probably refuse to serve anything or serve the contents of another site, much the same as actually visiting the other site – gsp8181 Apr 25 '15 at 19:26
  • Thanks for your answer. I only use the host to determine which content to use so that's fine – Simian Apr 25 '15 at 20:48
1

HTTP_HOST comes from the raw HTTP request. Such a request may look like:

GET /index.php HTTP/1.1
Host: example.com

The host field is especially useful when a single IP address serves multiple sites, it is a way of saying "hello server, out of all websites you may host, I'd like to view this particular one." Depending on how your server is configured (e.g., Apache's virtualhost), it may accept arbitrary values and serve a default website, or use a white-list and reject non white-listed values.

Either way, in your PHP code you should validate if the HTTP_HOST value is something you expect. If it is not, you should serve a HTTP error page, such as 403 permission denied. It makes no sense to rely on a server configuration to white-list values.

Gerard
  • 831
  • 6
  • 15