1

I am using wildcard subdomains to give each of our users a page username.domain.com.

The usernames themselves are properly sanitized on signup.

To simplify things for the purposes of this question, assume I have a single PHP script that runs for all requests. It gets the domain components using...

$domain_components = explode( '.', $_SERVER['SERVER_NAME'] );

... and then pops off the tld, the primary domain and the subdomain.

The question is, do I need to treat the contents of the $_SERVER['SERVER_NAME'] variable, and in particular the domain components, as potentially hostile? Intuitively, I would think not since PHP and Apache must be doing as good a job as I could do before this ever reaches my code (and this answer seems to confirm it since the variable is under server control), but I would like to be sure that I'm not overlooking anything.

Do you know of any known attacks via $_SERVER['SERVER_NAME']?

(I'm using PHP 5.3.9 and Apache 2.2.3.)

Community
  • 1
  • 1
Greg
  • 2,523
  • 4
  • 22
  • 27

3 Answers3

0

My understanding is that the $_SERVER variables are constructed by the server - and therefore the external browsers cannot affect its contents unless your server is compromised. If that is the case, the contents of $_SERVER is the least of your worries.

EDIT

I was meant to add except those that take the form $_SERVER['HTTP...].

Ed Heal
  • 59,252
  • 17
  • 87
  • 127
  • 1
    Most of them are. Remember that things like `$_SERVER['HTTP_USER_AGENT']` are changeable by the client. – ceejayoz Feb 02 '12 at 18:46
  • 1
    Thanks. As ceejayoz points out, this is not the case for many $_SERVER variables that are under client control. The answer I linked to in the question lays this out quite nicely. http://stackoverflow.com/a/6474936/123749 – Greg Feb 02 '12 at 18:50
0

http://shiflett.org/blog/2006/mar/server-name-versus-http-host

There seem to be some risks, there are some hints in that post although it is old. It might not be wrong to just use that variable (sanitized/escaped!) in a query to find the right user and if that works accept it. After that point you don't need it anymore so just use only your internal data.

Luc Franken
  • 2,994
  • 1
  • 17
  • 14
-1

You can trust SERVER_NAME it sets by:

<VirtualHost *>
ServerName server.domain.com
ServerAlias server server2.domain.com server2
# ...
</VirtualHost>
cetver
  • 11,279
  • 5
  • 36
  • 56