| When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179832] |
Tue, 11 December 2012 10:53  |
Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
|
Member |
|
|
I always understood than when activated through a web browser that
$_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain name
under which the script was being run, but I have come across some instances
where both SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if
this is legitimate or not.
I have an application which exists on a live server and a test server, with
a different database for each, and they both share a common config file
which identifies which server it is running on so that it can use the
relevant database credentials. If the server name does not match either of
the live or test domain names (such as mydomain.com and test.mydomain.com)
then it uses invalid credentials which causes an error when attempting to
access the database. I never though that this error would ever appear, but
lately I have been getting errors such as the following:
Fatal Error: mysqli_connect(): Access denied for user 'default'@'localhost'
(using password: YES).
Error in line 259 of file
'/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
PHP_SELF: /index.php
CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
SERVER_ADDR: nnn.nnn.nnn.nnn
SERVER_NAME: www.yahoo.com
HTTP_HOST: www.yahoo.com
REMOTE_ADDR: 109.108.142.236
REQUEST_URI: http://www.yahoo.com/
In order to run this script on my live server the URL should have been
www.mydomain.com but here you can see it reported as www.yahoo.com. How is
this possible?
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179834 is a reply to message #179832] |
Tue, 11 December 2012 13:28  |
Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 12/11/2012 2:53 AM, Tony Marston wrote:
> I always understood than when activated through a web browser that
> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
> name under which the script was being run, but I have come across some
> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
> I wondered if this is legitimate or not.
>
> I have an application which exists on a live server and a test server,
> with a different database for each, and they both share a common config
> file which identifies which server it is running on so that it can use
> the relevant database credentials. If the server name does not match
> either of the live or test domain names (such as mydomain.com and
> test.mydomain.com) then it uses invalid credentials which causes an
> error when attempting to access the database. I never though that this
> error would ever appear, but lately I have been getting errors such as
> the following:
>
> Fatal Error: mysqli_connect(): Access denied for user
> 'default'@'localhost' (using password: YES).
> Error in line 259 of file
> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>
> PHP_SELF: /index.php
> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
> SERVER_ADDR: nnn.nnn.nnn.nnn
> SERVER_NAME: www.yahoo.com
> HTTP_HOST: www.yahoo.com
> REMOTE_ADDR: 109.108.142.236
> REQUEST_URI: http://www.yahoo.com/
>
> In order to run this script on my live server the URL should have been
> www.mydomain.com but here you can see it reported as www.yahoo.com. How
> is this possible?
>
> Tony Marston
>
> http://www.tonymarston.net
> http://www.radicore.org
Not an expert but it sounds that maybe your server/PHP engine is not
configured properly.
I know REQUEST_URI should NOT be counted on.
Who is your host provider?
You may try phpinfo() to get the full list of data/variables set by your
server. Some here may ask for that info to help you further.
Scotty
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179835 is a reply to message #179834] |
Tue, 11 December 2012 14:01 |
Paul Herber
Messages: 26
Registered: February 2011
Karma: 0
|
Junior Member |
|
|
On Tue, 11 Dec 2012 05:28:36 -0800, Scott Johnson <noonehome(at)chalupasworld(dot)com> wrote:
> On 12/11/2012 2:53 AM, Tony Marston wrote:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under which the script was being run, but I have come across some
>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>> I wondered if this is legitimate or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a different database for each, and they both share a common config
>> file which identifies which server it is running on so that it can use
>> the relevant database credentials. If the server name does not match
>> either of the live or test domain names (such as mydomain.com and
>> test.mydomain.com) then it uses invalid credentials which causes an
>> error when attempting to access the database. I never though that this
>> error would ever appear, but lately I have been getting errors such as
>> the following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this possible?
>>
>> Tony Marston
>>
>> http://www.tonymarston.net
>> http://www.radicore.org
>
> Not an expert but it sounds that maybe your server/PHP engine is not
> configured properly.
>
> I know REQUEST_URI should NOT be counted on.
>
> Who is your host provider?
>
> You may try phpinfo() to get the full list of data/variables set by your
> server. Some here may ask for that info to help you further.
>
> Scotty
If this is a script to process a form then be aware that anything can call the script
(including webbots (good and bad), other web pages, anything. All incoming information
could be forged.
--
Regards, Paul Herber, Sandrila Ltd.
http://www.sandrila.co.uk/ twitter: @sandrilaLtd
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179839 is a reply to message #179832] |
Tue, 11 December 2012 16:26 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 11.12.2012 11:53, schrieb Tony Marston:
> I always understood than when activated through a web browser that
> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain name under
> which the script was being run, but I have come across some instances where both
> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is legitimate
> or not.
>
> I have an application which exists on a live server and a test server, with a
> different database for each, and they both share a common config file which
> identifies which server it is running on so that it can use the relevant database
> credentials. If the server name does not match either of the live or test domain
> names (such as mydomain.com and test.mydomain.com) then it uses invalid credentials
> which causes an error when attempting to access the database. I never though that
> this error would ever appear, but lately I have been getting errors such as the
> following:
>
> Fatal Error: mysqli_connect(): Access denied for user 'default'@'localhost' (using
> password: YES).
> Error in line 259 of file
> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
> PHP_SELF: /index.php
> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
> SERVER_ADDR: nnn.nnn.nnn.nnn
> SERVER_NAME: www.yahoo.com
> HTTP_HOST: www.yahoo.com
> REMOTE_ADDR: 109.108.142.236
> REQUEST_URI: http://www.yahoo.com/
>
> In order to run this script on my live server the URL should have been
> www.mydomain.com but here you can see it reported as www.yahoo.com. How is this
> possible?
I can think of several ways:
The client did not use HTTP/1.1 = client request without a hostname
Something like apache mod_rewrite on the server is doing it
any other misconfiguration on the server sites (hopefully temporary)
/Str.
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179852 is a reply to message #179834] |
Wed, 12 December 2012 07:25 |
Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
|
Member |
|
|
"Scott Johnson" wrote in message news:ka7ceh$vdf$1(at)dont-email(dot)me...
>
> On 12/11/2012 2:53 AM, Tony Marston wrote:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under which the script was being run, but I have come across some
>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>> I wondered if this is legitimate or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a different database for each, and they both share a common config
>> file which identifies which server it is running on so that it can use
>> the relevant database credentials. If the server name does not match
>> either of the live or test domain names (such as mydomain.com and
>> test.mydomain.com) then it uses invalid credentials which causes an
>> error when attempting to access the database. I never though that this
>> error would ever appear, but lately I have been getting errors such as
>> the following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this possible?
>>
>> Tony Marston
>>
>> http://www.tonymarston.net
>> http://www.radicore.org
>
> Not an expert but it sounds that maybe your server/PHP engine is not
> configured properly.
>
> I know REQUEST_URI should NOT be counted on.
>
> Who is your host provider?
This is a company that I have used for over 6 years for several different
sites, and I have never had a problem previously. I can access all the sites
with the correct URLs and they work as expected. I can even debug them
remotely, and everything looks as it should.
> You may try phpinfo() to get the full list of data/variables set by your
> server. Some here may ask for that info to help you further.
The output from phpinfo() looks perfectly normal and correct. It shows the
expected values for SERVER_NAME and HTTP_HOST.
> Scotty
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179855 is a reply to message #179835] |
Wed, 12 December 2012 13:05 |
Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
|
Member |
|
|
"Paul Herber" wrote in message
news:sveec8dfsaseid5mqiv6cb5g3gro9euenn(at)news(dot)eternal-september(dot)org...
>
> On Tue, 11 Dec 2012 05:28:36 -0800, Scott Johnson
> <noonehome(at)chalupasworld(dot)com> wrote:
>
>> On 12/11/2012 2:53 AM, Tony Marston wrote:
>>> I always understood than when activated through a web browser that
>>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>>> name under which the script was being run, but I have come across some
>>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>>> I wondered if this is legitimate or not.
>>>
>>> I have an application which exists on a live server and a test server,
>>> with a different database for each, and they both share a common config
>>> file which identifies which server it is running on so that it can use
>>> the relevant database credentials. If the server name does not match
>>> either of the live or test domain names (such as mydomain.com and
>>> test.mydomain.com) then it uses invalid credentials which causes an
>>> error when attempting to access the database. I never though that this
>>> error would ever appear, but lately I have been getting errors such as
>>> the following:
>>>
>>> Fatal Error: mysqli_connect(): Access denied for user
>>> 'default'@'localhost' (using password: YES).
>>> Error in line 259 of file
>>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>>
>>> PHP_SELF: /index.php
>>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>>> SERVER_ADDR: nnn.nnn.nnn.nnn
>>> SERVER_NAME: www.yahoo.com
>>> HTTP_HOST: www.yahoo.com
>>> REMOTE_ADDR: 109.108.142.236
>>> REQUEST_URI: http://www.yahoo.com/
>>>
>>> In order to run this script on my live server the URL should have been
>>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>>> is this possible?
>>>
>>> Tony Marston
>>>
>>> http://www.tonymarston.net
>>> http://www.radicore.org
>>
>> Not an expert but it sounds that maybe your server/PHP engine is not
>> configured properly.
>>
>> I know REQUEST_URI should NOT be counted on.
>>
>> Who is your host provider?
>>
>> You may try phpinfo() to get the full list of data/variables set by your
>> server. Some here may ask for that info to help you further.
>>
>> Scotty
>
> If this is a script to process a form then be aware that anything can call
> the script
> (including webbots (good and bad), other web pages, anything. All incoming
> information
> could be forged.
>
All my pages include the same config file in order the set the database
connection parameters according to which version of the website is being
used, live or test, but if the server name is not recognised as one of those
two it causes an error. But if this value can be spoofed, how is it possible
to identify, with absolute certainty, the name of the server on which the
application is running?
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179856 is a reply to message #179839] |
Wed, 12 December 2012 13:10 |
Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
|
Member |
|
|
"M. Strobel" wrote in message news:aip563Ft79lU1(at)mid(dot)uni-berlin(dot)de...
>
> Am 11.12.2012 11:53, schrieb Tony Marston:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under
>> which the script was being run, but I have come across some instances
>> where both
>> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is
>> legitimate
>> or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a
>> different database for each, and they both share a common config file
>> which
>> identifies which server it is running on so that it can use the relevant
>> database
>> credentials. If the server name does not match either of the live or test
>> domain
>> names (such as mydomain.com and test.mydomain.com) then it uses invalid
>> credentials
>> which causes an error when attempting to access the database. I never
>> though that
>> this error would ever appear, but lately I have been getting errors such
>> as the
>> following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using
>> password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this
>> possible?
>
> I can think of several ways:
>
> The client did not use HTTP/1.1 = client request without a hostname
>
> Something like apache mod_rewrite on the server is doing it
>
> any other misconfiguration on the server sites (hopefully temporary)
>
> /Str.
There are no mod_rewrite settings on the server or any other settings which
would cause an error as the site has been is use for some while without
incident, but I am occasionally seeing errors like this because my script
cannot recognise the value in SERVER_NAME. Somebody is trying to access my
site, but somehow they are able to force the value of SERVER_NAME to be
something other than the domain name.
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179857 is a reply to message #179852] |
Wed, 12 December 2012 13:27 |
Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 12/11/2012 11:25 PM, Tony Marston wrote:
>> You may try phpinfo() to get the full list of data/variables set by
>> your server. Some here may ask for that info to help you further.
>
> The output from phpinfo() looks perfectly normal and correct. It shows
> the expected values for SERVER_NAME and HTTP_HOST.
>
If you are getting the right value in SERVER_NAME and HTTP_HOST using
phpinfo() but are then getting a different value when you use the same
variable in your script, then you have an error in your script.
You may somewhere be setting the variables when you think you may be
comparing them.
if(SERVER_NAME = 'blabla')... set
if(SERVER_NAME == 'blabla')... compare
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179858 is a reply to message #179857] |
Wed, 12 December 2012 17:22 |
Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
|
Member |
|
|
"Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>
> On 12/11/2012 11:25 PM, Tony Marston wrote:
>
>>> You may try phpinfo() to get the full list of data/variables set by
>>> your server. Some here may ask for that info to help you further.
>>
>> The output from phpinfo() looks perfectly normal and correct. It shows
>> the expected values for SERVER_NAME and HTTP_HOST.
>>
>
> If you are getting the right value in SERVER_NAME and HTTP_HOST using
> phpinfo() but are then getting a different value when you use the same
> variable in your script, then you have an error in your script.
These is no error in the script as it runs perfectly for thousands of
requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
$_SERVER['HOST_NAME'] contain values which are different from those which I
expect and which are reported by phpinfo(). It appears that is *IS* possible
for the client to spoof these values, as reported in
http://shiflett.org/blog/2006/mar/server-name-versus-http-host
> You may somewhere be setting the variables when you think you may be
> comparing them.
>
> if(SERVER_NAME = 'blabla')... set
>
> if(SERVER_NAME == 'blabla')... compare
>
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179859 is a reply to message #179858] |
Wed, 12 December 2012 18:50 |
Daniel Pitts
Messages: 68
Registered: May 2012
Karma: 0
|
Member |
|
|
On 12/12/12 9:22 AM, Tony Marston wrote:
> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>
>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>
>>>> You may try phpinfo() to get the full list of data/variables set by
>>>> your server. Some here may ask for that info to help you further.
>>>
>>> The output from phpinfo() looks perfectly normal and correct. It shows
>>> the expected values for SERVER_NAME and HTTP_HOST.
>>>
>>
>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>> phpinfo() but are then getting a different value when you use the same
>> variable in your script, then you have an error in your script.
>
> These is no error in the script as it runs perfectly for thousands of
> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
> $_SERVER['HOST_NAME'] contain values which are different from those
> which I expect and which are reported by phpinfo(). It appears that is
> *IS* possible for the client to spoof these values, as reported in
> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>
The way that HTTP works, is that the client connects to the IP address,
and then sends the host name it was trying to connect to as part of the
headers. eg. Host: www.example.com. This allows for many virtual hosts
on a single IP/Port.
What could happen is that someone's DNS is pointing to your IP, and so
you receive a request that was meant for a different URL.
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179860 is a reply to message #179859] |
Wed, 12 December 2012 19:34 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/12/12 18:50, Daniel Pitts wrote:
> On 12/12/12 9:22 AM, Tony Marston wrote:
>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>
>>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>
>>>> > You may try phpinfo() to get the full list of data/variables set by
>>>> > your server. Some here may ask for that info to help you further.
>>>>
>>>> The output from phpinfo() looks perfectly normal and correct. It shows
>>>> the expected values for SERVER_NAME and HTTP_HOST.
>>>>
>>>
>>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>> phpinfo() but are then getting a different value when you use the same
>>> variable in your script, then you have an error in your script.
>>
>> These is no error in the script as it runs perfectly for thousands of
>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>> $_SERVER['HOST_NAME'] contain values which are different from those
>> which I expect and which are reported by phpinfo(). It appears that is
>> *IS* possible for the client to spoof these values, as reported in
>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>
>
> The way that HTTP works, is that the client connects to the IP address,
> and then sends the host name it was trying to connect to as part of the
> headers. eg. Host: www.example.com. This allows for many virtual hosts
> on a single IP/Port.
>
> What could happen is that someone's DNS is pointing to your IP, and so
> you receive a request that was meant for a different URL.
all of which can be overcome by setting up the web server to reject or
redirect requests that have the wrong 'host' parameter...
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179861 is a reply to message #179860] |
Thu, 13 December 2012 06:52 |
Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
|
Member |
|
|
"The Natural Philosopher" wrote in message
news:kaam8e$n67$1(at)news(dot)albasani(dot)net...
>
> On 12/12/12 18:50, Daniel Pitts wrote:
>> On 12/12/12 9:22 AM, Tony Marston wrote:
>>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>>
>>>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>>
>>>> >> You may try phpinfo() to get the full list of data/variables set by
>>>> >> your server. Some here may ask for that info to help you further.
>>>> >
>>>> > The output from phpinfo() looks perfectly normal and correct. It shows
>>>> > the expected values for SERVER_NAME and HTTP_HOST.
>>>> >
>>>>
>>>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>>> phpinfo() but are then getting a different value when you use the same
>>>> variable in your script, then you have an error in your script.
>>>
>>> These is no error in the script as it runs perfectly for thousands of
>>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>>> $_SERVER['HOST_NAME'] contain values which are different from those
>>> which I expect and which are reported by phpinfo(). It appears that is
>>> *IS* possible for the client to spoof these values, as reported in
>>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>>
>>
>> The way that HTTP works, is that the client connects to the IP address,
>> and then sends the host name it was trying to connect to as part of the
>> headers. eg. Host: www.example.com. This allows for many virtual hosts
>> on a single IP/Port.
>>
>> What could happen is that someone's DNS is pointing to your IP, and so
>> you receive a request that was meant for a different URL.
>
> all of which can be overcome by setting up the web server to reject or
> redirect requests that have the wrong 'host' parameter...
And exactly how might that be done, O Great One?
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
|
|
| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179863 is a reply to message #179861] |
Thu, 13 December 2012 11:43 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 13/12/12 06:52, Tony Marston wrote:
> "The Natural Philosopher" wrote in message
> news:kaam8e$n67$1(at)news(dot)albasani(dot)net...
>>
>> On 12/12/12 18:50, Daniel Pitts wrote:
>>> On 12/12/12 9:22 AM, Tony Marston wrote:
>>>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>> >
>>>> > On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>> >
>>>> >>> You may try phpinfo() to get the full list of data/variables set by
>>>> >>> your server. Some here may ask for that info to help you further.
>>>> >>
>>>> >> The output from phpinfo() looks perfectly normal and correct. It
>>>> >> shows
>>>> >> the expected values for SERVER_NAME and HTTP_HOST.
>>>> >>
>>>> >
>>>> > If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>>> > phpinfo() but are then getting a different value when you use the same
>>>> > variable in your script, then you have an error in your script.
>>>>
>>>> These is no error in the script as it runs perfectly for thousands of
>>>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>>>> $_SERVER['HOST_NAME'] contain values which are different from those
>>>> which I expect and which are reported by phpinfo(). It appears that is
>>>> *IS* possible for the client to spoof these values, as reported in
>>>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>>>
>>>
>>> The way that HTTP works, is that the client connects to the IP address,
>>> and then sends the host name it was trying to connect to as part of the
>>> headers. eg. Host: www.example.com. This allows for many virtual hosts
>>> on a single IP/Port.
>>>
>>> What could happen is that someone's DNS is pointing to your IP, and so
>>> you receive a request that was meant for a different URL.
>>
>> all of which can be overcome by setting up the web server to reject or
>> redirect requests that have the wrong 'host' parameter...
>
> And exactly how might that be done, O Great One?
>
Read the apache documentation for how apache does virtual servers.
It selects the website based not on IP address but on HOST type commands.
So for apache you create the default site, BUT it simply says 'you must
have got it wrong' because all your VALID sites are in fact 'virtual' ones.
I've got half a dozen sites sharing the same IP address. The default
site is an 'I don't care' one where I stuff photo albums for a quick way
to share pictures with friends. If you go in with host: unset, that's
where you end up.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]