Host Header Attack

We use this in the index.php

PHP Code:

$default_domain = 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');

if ( ! function_exists('is_https_on'))
{
    /**
     * Is HTTPS?
     *
     * Determines if the application is accessed via an encrypted
     * (HTTPS) connection.
     *
     * @return bool
     */
    function is_https_on()
    {
        if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
        {
            return TRUE;
        }
            elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
        {
            return TRUE;
        }
        elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
        {
            return TRUE;
        }

        return FALSE;
    }
}

$protocol = 'http://';
if ( is_https_on() && USE_HTTPS ) {
    $protocol = 'https://';
}
// define protocol
define('PROTOCOL', $protocol); 


The check if the HTTP_HOST is within the allowed domains

PHP Code:

if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
    $_SERVER['HTTP_HOST'] = $default_domain;
} 


The set a constant

PHP Code:

define('BASE_URL', PROTOCOL.$_SERVER['HTTP_HOST']); 


And in the config

PHP Code:

$config['base_url'] = BASE_URL; 


Spoofing the HTTP_HOST header will have no effect this way

Ok, Thanks a lot, will try this, andd report it back.