phpdevshell team mailing list archive

Thread
Date

[Bug 1202451] Re: Using $_SERVER['HTTP_HOST'] may allow XSS

To: phpdevshell@xxxxxxxxxxxxxxxxxxx
From: Greg <1202451@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Jul 2013 01:24:23 -0000
Reply-to: Bug 1202451 <1202451@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Also http://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-
serverserver-name-am-i-understanding-the-ma

-- 
You received this bug notification because you are a member of
PHPDevShell, which is subscribed to PHPDevShell.
https://bugs.launchpad.net/bugs/1202451

Title:
  Using $_SERVER['HTTP_HOST'] may allow XSS

Status in Open Source PHP RAD Framework with UI.:
  New

Bug description:
  In PHPDS.inc.php, line 358, in PHPDS->configSession(), we use
  $_SERVER['HTTP_HOST'] to build the absolute URL, which will later be
  injected in HTML.

  In some case this can be a security flaw:
  http://shiflett.org/blog/2006/mar/server-name-versus-http-host

  Very tricky but we should look into it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/phpdevshell/+bug/1202451/+subscriptions

References

[Bug 1202451] [NEW] Using $_SERVER['HTTP_HOST'] may allow XSS
From: Greg, 2013-07-18