Fix for Host Header Injection issue in CodeIgniter - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: External Resources (https://forum.codeigniter.com/forumdisplay.php?fid=7) +--- Forum: Addins (https://forum.codeigniter.com/forumdisplay.php?fid=13) +--- Thread: Fix for Host Header Injection issue in CodeIgniter (/showthread.php?tid=61597) |
Fix for Host Header Injection issue in CodeIgniter - ikarius6 - 04-29-2015 codeigniter-trusted-hosts https://github.com/ikarius6/codeigniter-trusted-hosts In case you want to leave the base_url configuration empty for portability, it involves a risk. Host Header Injection issue in CodeIgniter http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html http://carlos.bueno.org/2008/06/host-header-injection.html To avoid security issues, you may want to configure a list of "trusted hosts". (for multi-domain sites) where you add all domains than you use for your project. This code overwrite the way than core/Config.php of CodeIgniter guess your current domain by checking a list of trusted host first and changing the value of base_url if not. Example $config['trusted_hosts'] = array('localhost', 'my.development.com', 'my.production.com'); If your domain is: mydomain.com And HTTP_HOST header is: evilhacker.com Test: application/views/test.php <?php echo site_url("my_secret/12345"); Without codeigniter-trusted-hosts will show: http://evilhacker.com/my_secret/12345 With codeigniter-trusted-hosts will show: http://localhost/my_secret/12345 |