| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179863 is a reply to message #179861] |
Thu, 13 December 2012 11:43   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 13/12/12 06:52, Tony Marston wrote:
> "The Natural Philosopher" wrote in message
> news:kaam8e$n67$1(at)news(dot)albasani(dot)net...
>>
>> On 12/12/12 18:50, Daniel Pitts wrote:
>>> On 12/12/12 9:22 AM, Tony Marston wrote:
>>>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>> >
>>>> > On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>> >
>>>> >>> You may try phpinfo() to get the full list of data/variables set by
>>>> >>> your server. Some here may ask for that info to help you further.
>>>> >>
>>>> >> The output from phpinfo() looks perfectly normal and correct. It
>>>> >> shows
>>>> >> the expected values for SERVER_NAME and HTTP_HOST.
>>>> >>
>>>> >
>>>> > If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>>> > phpinfo() but are then getting a different value when you use the same
>>>> > variable in your script, then you have an error in your script.
>>>>
>>>> These is no error in the script as it runs perfectly for thousands of
>>>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>>>> $_SERVER['HOST_NAME'] contain values which are different from those
>>>> which I expect and which are reported by phpinfo(). It appears that is
>>>> *IS* possible for the client to spoof these values, as reported in
>>>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>>>
>>>
>>> The way that HTTP works, is that the client connects to the IP address,
>>> and then sends the host name it was trying to connect to as part of the
>>> headers. eg. Host: www.example.com. This allows for many virtual hosts
>>> on a single IP/Port.
>>>
>>> What could happen is that someone's DNS is pointing to your IP, and so
>>> you receive a request that was meant for a different URL.
>>
>> all of which can be overcome by setting up the web server to reject or
>> redirect requests that have the wrong 'host' parameter...
>
> And exactly how might that be done, O Great One?
>
Read the apache documentation for how apache does virtual servers.
It selects the website based not on IP address but on HOST type commands.
So for apache you create the default site, BUT it simply says 'you must
have got it wrong' because all your VALID sites are in fact 'virtual' ones.
I've got half a dozen sites sharing the same IP address. The default
site is an 'I don't care' one where I stuff photo albums for a quick way
to share pictures with friends. If you go in with host: unset, that's
where you end up.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]