[thelist] Domain masking and $_SERVER['HTTP_HOST']

Stephen Rider evolt_org at striderweb.com
Thu Nov 15 09:40:34 CST 2007


Let's make the question a bit more short-winded. :)

I have a PHP application that does something different based on what  
domain it's in.  That is, I can point multiple domains to the same  
application, and the app looks up the domain and acts accordingly.

It's primary determining factor is $_SERVER['HTTP_HOST'].

How much of a security risk is this?  I don't want somebody to be  
able to use, for example, domain masking to point some totally  
different domain at my app and piggyback on it.

Yes, this could be locked down with a config file that limits it, but  
one of my goals is to make this virtually configuration-free for the  
user.

Would I be better off using $_SERVER['SERVER_NAME'] ?  Is this whole  
thing simply a bad idea?

Incidentally, I DID do a test run with a masked domain, and there was  
no problem, but I'm no expert on DNS, and one test doesn't prove  
much. :)

Thanks,
Stephen

<tip type="cross-browser SUP tags" author="Stephen Rider">
If you want to use the SUP tag in a way that looks the same cross  
browser, AND doesn't mess up line heights, try putting this in your  
CSS file:

sup {
	position: relative;
	top: -3px;
	vertical-align: top;
	font-size: 90%;
}
</tip>




On Nov 14, 2007, at 5:16 PM, Stephen Rider wrote:

> I'm working on a multiblog system that allows you to run multiple
> blogs of a single install of the blog platform.  (Currently it's only
> for WordPress, but should be modifiable to work with others).
>
> The basic concept is that you install WordPress -- that's your first
> blog.  Then you make symbolic links to that directory, and those are
> you other blogs.  My system calls a different set of configuration
> files depending on what "directory" it thinks it's being called from.
>
> In my attempts to make it _really_ easy to configure, I have code in
> it that auto-detects which directory it's in, or if it's the root
> directory, what domain it is.  It then looks for (or creates) tables
> in the database based on the directory or domain.  Different set of
> tables == different blog.
>
> The problem:
>
> I see a potential security problem here.  What would stop a person
> from pointing their own domain at my site and thus auto-creating
> their own blog?  Without access to my hosting, they can't directly
> point a domain to my directories, but what about domain masking?
>
> I used domain masking to point a different (unhosted) domain to my
> site, in an attempt to test it.  My regular site (and thus "proper"
> blog) showed, up.  I was somewhat expecting it to allow me to install
> an auto-created blog based on the masked domain.
>
> The Question:
>
> Why _didn't_ the domain masking work?  The auto-config works based on
> looking at $_SERVER['HTTP_HOST'].  When using masking does this
> variable see the "real" domain and not the masked one?
>
> Are there other security problems I should be looking for?
>
> Regards,
> Stephen Rider
>



More information about the thelist mailing list