And again about the $ _SERVER ['HTTP_HOST'] vulnerability

On Habré already mentioned one known vulnerability associated with the variable $_SERVER['HTTP_HOST'] . Only for some reason it was said about SQL injection and about anything other than XSS.

I have no opportunity to comment on the original article, so I’ll clarify in two lines. Suppose you have links on the site with an absolute address, like:

 <script type="text/javascript" src="<?=$_SERVER['HTTP_HOST'] ?>/my.js"></script> 

Suppose your website address is " www.user.com ". Suppose the address of my site " www.hacker.com ". All I have to do is drop you a link to a special page on my site, from where I will make the most common redirect to your own site. Only for the redirect I use some unusual headlines. As the HTTP target, I will specify your own site " www.user.com ", but as a host - my " www.hacker.com ". Although, in principle, the absolute form of the HTTP target is not unusual.
')
Headings will look like:

GET http://www.user.com HTTP/1.1
Host:www.hacker.com

And your script instead of SERVER['HTTP_HOST'] substitute my host. Your link src="<?=$_SERVER['HTTP_HOST'] ?>/my.js " will not look like you expected " www.user.com/my.js ", but " www.hacker.com/my.js " As a result, your browser with a clear conscience will download the script from my site and execute it.

And I get your cookie.

You offhand say that you do not have absolute links? Well, firstly, at least TinyMCE uses absolute links by default. In addition, not necessarily it should be a link to *.js Link to css also good . Well, or as a last resort, on iframe .

Therefore, as usual, never trust the data that came from the client.