phpdevshell team mailing list archive
-
phpdevshell team
-
Mailing list archive
-
Message #01477
[Bug 1202451] Re: Using $_SERVER['HTTP_HOST'] may allow XSS
** Changed in: phpdevshell
Assignee: (unassigned) => Greg (gregfr)
** Changed in: phpdevshell
Importance: Undecided => High
--
You received this bug notification because you are a member of
PHPDevShell, which is subscribed to PHPDevShell.
https://bugs.launchpad.net/bugs/1202451
Title:
Using $_SERVER['HTTP_HOST'] may allow XSS
Status in Open Source PHP RAD Framework with UI.:
New
Bug description:
In PHPDS.inc.php, line 358, in PHPDS->configSession(), we use
$_SERVER['HTTP_HOST'] to build the absolute URL, which will later be
injected in HTML.
In some case this can be a security flaw:
http://shiflett.org/blog/2006/mar/server-name-versus-http-host
Very tricky but we should look into it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/phpdevshell/+bug/1202451/+subscriptions
References