Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host header attack #11

Open
creative-coder opened this issue Jun 9, 2016 · 5 comments
Open

Host header attack #11

creative-coder opened this issue Jun 9, 2016 · 5 comments
Labels
enhancement

Comments

@creative-coder
Copy link

I found a secure issue, in index.php line 35 'http://' . Environment::get('HTTP_HOST')
better would be 'http://' . Environment::get('SERVER_NAME') to prevent host header attack

http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
@OmarElgabry
Copy link
Owner

Yes! you are right. However, give me some time to dig into this issue.

@creative-coder
Copy link
Author

np, cool ;)

@creative-coder
Copy link
Author

for little help, the request must come from the server origin, not from the host it selfs, thats the trick. host can be faked, server not

@OmarElgabry
Copy link
Owner

OmarElgabry commented Jun 17, 2016
edited
Loading

After digging into this issue, If found that, SERVER_NAME is more reliable but it can also be insecure as HTTP_HOST, Why? Because it depends on the server config. If UseCanonicalName is set Off in Apache(Default), SERVER_NAME will be constructed from the client supplied values.

Frameworks like Symphony check first if HTTP_HOST is available, if not, then check SERVER_NAME, and finally SERVER_ADDR. Then, they do some validation, and compare against allowed hosts. Thus, I'll implement the same behavior in a simpler way.

OmarElgabry added a commit that referenced this issue Oct 17, 2016
@OmarElgabry
Update index.php & App class
18ea695 
- Exposed(public instead of private) request and response objects of app
object.
- Update the sequence of loading components in index.php
- Assign PUBLIC_ROOT to a more trusted host value to avoid host header
attack #11
@OmarElgabry
Copy link
Owner

After this commit 1900ff0, Now, PUBLIC_ROOT can be assigned to a trusted host value, but, the host value still needs to be checked against a trusted list of host patterns, which will be done in my future plans.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@creative-coder @OmarElgabry