Fix for Host Header Injection issue in CodeIgniter |
codeigniter-trusted-hosts
https://github.com/ikarius6/codeigniter-trusted-hosts In case you want to leave the base_url configuration empty for portability, it involves a risk. Host Header Injection issue in CodeIgniter http://www.skeletonscribe.net/2013/05/pr...tacks.html http://carlos.bueno.org/2008/06/host-hea...ction.html To avoid security issues, you may want to configure a list of "trusted hosts". (for multi-domain sites) where you add all domains than you use for your project. This code overwrite the way than core/Config.php of CodeIgniter guess your current domain by checking a list of trusted host first and changing the value of base_url if not. Example $config['trusted_hosts'] = array('localhost', 'my.development.com', 'my.production.com'); If your domain is: mydomain.com And HTTP_HOST header is: evilhacker.com Test: application/views/test.php <?php echo site_url("my_secret/12345"); Without codeigniter-trusted-hosts will show: http://evilhacker.com/my_secret/12345 With codeigniter-trusted-hosts will show: http://localhost/my_secret/12345 |
Welcome Guest, Not a member yet? Register Sign In |