[thelist] Domain masking and $_SERVER['HTTP_HOST']

[Stephen Rider]

I'm working on a multiblog system that allows you to run multiple  
blogs of a single install of the blog platform.  (Currently it's only  
for WordPress, but should be modifiable to work with others).

The basic concept is that you install WordPress -- that's your first  
blog.  Then you make symbolic links to that directory, and those are  
you other blogs.  My system calls a different set of configuration  
files depending on what "directory" it thinks it's being called from.

In my attempts to make it _really_ easy to configure, I have code in  
it that auto-detects which directory it's in, or if it's the root  
directory, what domain it is.  It then looks for (or creates) tables  
in the database based on the directory or domain.  Different set of  
tables == different blog.

The problem:

I see a potential security problem here.  What would stop a person  
from pointing their own domain at my site and thus auto-creating  
their own blog?  Without access to my hosting, they can't directly  
point a domain to my directories, but what about domain masking?

I used domain masking to point a different (unhosted) domain to my  
site, in an attempt to test it.  My regular site (and thus "proper"  
blog) showed, up.  I was somewhat expecting it to allow me to install  
an auto-created blog based on the masked domain.

The Question:

Why _didn't_ the domain masking work?  The auto-config works based on  
looking at $_SERVER['HTTP_HOST'].  When using masking does this  
variable see the "real" domain and not the masked one?

Are there other security problems I should be looking for?

Regards,
Stephen Rider