Invalid host attack on PHP websites

When you are creating a PHP script on your website, you many be unaware that there is a security flaw in many website to do with the HTTP_HOST environment variable. This variable is accessed in PHP through the variable:


It is easy to assume that the HTTP_HOST environment variable will always be set, and with many shared, virtual webhosts this is true. The problem appears when a webhost has a static IP for each users account.

When a request comes in to that IP address, even if the HTTP_HOST is not specified in the request, the webserver knows the default website root directory to use. This means that any PHP script in the default website root directory can be accessed with an invalid HTTP_HOST (incorrect domain) environment variable.

The exploit

As my PHP programmers expect the $_SERVER['HTTP_HOST'] variable to carry a valid http_host, they do not expect it to not be set. When it is not set, it can cause the PHP script to behave unexpectedly, and may cause security holes


The solution is very easy, just do not assume that the environment variables are valid. When you need to use them, make sure that they are set to one of the values you expect.

by 1.1K

Remember to vote! Voting helps everyone find the best posts

Tags: None