[thelist] Domain masking and $_SERVER['HTTP_HOST']
Stephen Rider
evolt_org at striderweb.com
Wed Nov 14 17:16:55 CST 2007
I'm working on a multiblog system that allows you to run multiple
blogs of a single install of the blog platform. (Currently it's only
for WordPress, but should be modifiable to work with others).
The basic concept is that you install WordPress -- that's your first
blog. Then you make symbolic links to that directory, and those are
you other blogs. My system calls a different set of configuration
files depending on what "directory" it thinks it's being called from.
In my attempts to make it _really_ easy to configure, I have code in
it that auto-detects which directory it's in, or if it's the root
directory, what domain it is. It then looks for (or creates) tables
in the database based on the directory or domain. Different set of
tables == different blog.
The problem:
I see a potential security problem here. What would stop a person
from pointing their own domain at my site and thus auto-creating
their own blog? Without access to my hosting, they can't directly
point a domain to my directories, but what about domain masking?
I used domain masking to point a different (unhosted) domain to my
site, in an attempt to test it. My regular site (and thus "proper"
blog) showed, up. I was somewhat expecting it to allow me to install
an auto-created blog based on the masked domain.
The Question:
Why _didn't_ the domain masking work? The auto-config works based on
looking at $_SERVER['HTTP_HOST']. When using masking does this
variable see the "real" domain and not the masked one?
Are there other security problems I should be looking for?
Regards,
Stephen Rider
More information about the thelist
mailing list