← Back to team overview

mahara-contributors team mailing list archive

[Bug 1175446] Re: user supplied $_SERVER['HTTP_HOST'] can be used for injections

 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1175446

Title:
  user supplied $_SERVER['HTTP_HOST'] can be used for injections

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released

Bug description:
  http://www.skeletonscribe.net/2013/05/practical-http-host-header-
  attacks.html

  curl -H "host:cow\"onerror='alert(1)" localhost/code/mahara/htdocs/admin/ | fgrep cow
  on a fresh install (not installed yet, as first page hit of installed will store it in db), will show some unescaped

  that is used in init.php, to set wwwroot, and noreplyaddress

  there is also a possible injection using lib/web.php, the
  get_requested_host_name uses it, which is used by clean_urls, and by
  AccessDeniedException

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1175446/+subscriptions