phpdevshell team mailing list archive
-
phpdevshell team
-
Mailing list archive
-
Message #01378
[Bug 1202451] Re: Using $_SERVER['HTTP_HOST'] may allow XSS
Also http://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-
serverserver-name-am-i-understanding-the-ma
--
You received this bug notification because you are a member of
PHPDevShell, which is subscribed to PHPDevShell.
https://bugs.launchpad.net/bugs/1202451
Title:
Using $_SERVER['HTTP_HOST'] may allow XSS
Status in Open Source PHP RAD Framework with UI.:
New
Bug description:
In PHPDS.inc.php, line 358, in PHPDS->configSession(), we use
$_SERVER['HTTP_HOST'] to build the absolute URL, which will later be
injected in HTML.
In some case this can be a security flaw:
http://shiflett.org/blog/2006/mar/server-name-versus-http-host
Very tricky but we should look into it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/phpdevshell/+bug/1202451/+subscriptions
References