FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script?
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179832] Tue, 11 December 2012 10:53 Go to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
I always understood than when activated through a web browser that
$_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain name
under which the script was being run, but I have come across some instances
where both SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if
this is legitimate or not.

I have an application which exists on a live server and a test server, with
a different database for each, and they both share a common config file
which identifies which server it is running on so that it can use the
relevant database credentials. If the server name does not match either of
the live or test domain names (such as mydomain.com and test.mydomain.com)
then it uses invalid credentials which causes an error when attempting to
access the database. I never though that this error would ever appear, but
lately I have been getting errors such as the following:

Fatal Error: mysqli_connect(): Access denied for user 'default'@'localhost'
(using password: YES).
Error in line 259 of file
'/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
PHP_SELF: /index.php
CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
SERVER_ADDR: nnn.nnn.nnn.nnn
SERVER_NAME: www.yahoo.com
HTTP_HOST: www.yahoo.com
REMOTE_ADDR: 109.108.142.236
REQUEST_URI: http://www.yahoo.com/

In order to run this script on my live server the URL should have been
www.mydomain.com but here you can see it reported as www.yahoo.com. How is
this possible?

Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179834 is a reply to message #179832] Tue, 11 December 2012 13:28 Go to previous messageGo to next message
Scott Johnson is currently offline  Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
Senior Member
On 12/11/2012 2:53 AM, Tony Marston wrote:
> I always understood than when activated through a web browser that
> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
> name under which the script was being run, but I have come across some
> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
> I wondered if this is legitimate or not.
>
> I have an application which exists on a live server and a test server,
> with a different database for each, and they both share a common config
> file which identifies which server it is running on so that it can use
> the relevant database credentials. If the server name does not match
> either of the live or test domain names (such as mydomain.com and
> test.mydomain.com) then it uses invalid credentials which causes an
> error when attempting to access the database. I never though that this
> error would ever appear, but lately I have been getting errors such as
> the following:
>
> Fatal Error: mysqli_connect(): Access denied for user
> 'default'@'localhost' (using password: YES).
> Error in line 259 of file
> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>
> PHP_SELF: /index.php
> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
> SERVER_ADDR: nnn.nnn.nnn.nnn
> SERVER_NAME: www.yahoo.com
> HTTP_HOST: www.yahoo.com
> REMOTE_ADDR: 109.108.142.236
> REQUEST_URI: http://www.yahoo.com/
>
> In order to run this script on my live server the URL should have been
> www.mydomain.com but here you can see it reported as www.yahoo.com. How
> is this possible?
>
> Tony Marston
>
> http://www.tonymarston.net
> http://www.radicore.org

Not an expert but it sounds that maybe your server/PHP engine is not
configured properly.

I know REQUEST_URI should NOT be counted on.

Who is your host provider?

You may try phpinfo() to get the full list of data/variables set by your
server. Some here may ask for that info to help you further.

Scotty
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179835 is a reply to message #179834] Tue, 11 December 2012 14:01 Go to previous messageGo to next message
Paul Herber is currently offline  Paul Herber
Messages: 26
Registered: February 2011
Karma: 0
Junior Member
On Tue, 11 Dec 2012 05:28:36 -0800, Scott Johnson <noonehome(at)chalupasworld(dot)com> wrote:

> On 12/11/2012 2:53 AM, Tony Marston wrote:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under which the script was being run, but I have come across some
>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>> I wondered if this is legitimate or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a different database for each, and they both share a common config
>> file which identifies which server it is running on so that it can use
>> the relevant database credentials. If the server name does not match
>> either of the live or test domain names (such as mydomain.com and
>> test.mydomain.com) then it uses invalid credentials which causes an
>> error when attempting to access the database. I never though that this
>> error would ever appear, but lately I have been getting errors such as
>> the following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this possible?
>>
>> Tony Marston
>>
>> http://www.tonymarston.net
>> http://www.radicore.org
>
> Not an expert but it sounds that maybe your server/PHP engine is not
> configured properly.
>
> I know REQUEST_URI should NOT be counted on.
>
> Who is your host provider?
>
> You may try phpinfo() to get the full list of data/variables set by your
> server. Some here may ask for that info to help you further.
>
> Scotty

If this is a script to process a form then be aware that anything can call the script
(including webbots (good and bad), other web pages, anything. All incoming information
could be forged.



--
Regards, Paul Herber, Sandrila Ltd.
http://www.sandrila.co.uk/ twitter: @sandrilaLtd
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179839 is a reply to message #179832] Tue, 11 December 2012 16:26 Go to previous messageGo to next message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
Senior Member
Am 11.12.2012 11:53, schrieb Tony Marston:
> I always understood than when activated through a web browser that
> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain name under
> which the script was being run, but I have come across some instances where both
> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is legitimate
> or not.
>
> I have an application which exists on a live server and a test server, with a
> different database for each, and they both share a common config file which
> identifies which server it is running on so that it can use the relevant database
> credentials. If the server name does not match either of the live or test domain
> names (such as mydomain.com and test.mydomain.com) then it uses invalid credentials
> which causes an error when attempting to access the database. I never though that
> this error would ever appear, but lately I have been getting errors such as the
> following:
>
> Fatal Error: mysqli_connect(): Access denied for user 'default'@'localhost' (using
> password: YES).
> Error in line 259 of file
> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
> PHP_SELF: /index.php
> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
> SERVER_ADDR: nnn.nnn.nnn.nnn
> SERVER_NAME: www.yahoo.com
> HTTP_HOST: www.yahoo.com
> REMOTE_ADDR: 109.108.142.236
> REQUEST_URI: http://www.yahoo.com/
>
> In order to run this script on my live server the URL should have been
> www.mydomain.com but here you can see it reported as www.yahoo.com. How is this
> possible?

I can think of several ways:

The client did not use HTTP/1.1 = client request without a hostname

Something like apache mod_rewrite on the server is doing it

any other misconfiguration on the server sites (hopefully temporary)

/Str.
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179852 is a reply to message #179834] Wed, 12 December 2012 07:25 Go to previous messageGo to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
"Scott Johnson" wrote in message news:ka7ceh$vdf$1(at)dont-email(dot)me...
>
> On 12/11/2012 2:53 AM, Tony Marston wrote:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under which the script was being run, but I have come across some
>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>> I wondered if this is legitimate or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a different database for each, and they both share a common config
>> file which identifies which server it is running on so that it can use
>> the relevant database credentials. If the server name does not match
>> either of the live or test domain names (such as mydomain.com and
>> test.mydomain.com) then it uses invalid credentials which causes an
>> error when attempting to access the database. I never though that this
>> error would ever appear, but lately I have been getting errors such as
>> the following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this possible?
>>
>> Tony Marston
>>
>> http://www.tonymarston.net
>> http://www.radicore.org
>
> Not an expert but it sounds that maybe your server/PHP engine is not
> configured properly.
>
> I know REQUEST_URI should NOT be counted on.
>
> Who is your host provider?

This is a company that I have used for over 6 years for several different
sites, and I have never had a problem previously. I can access all the sites
with the correct URLs and they work as expected. I can even debug them
remotely, and everything looks as it should.

> You may try phpinfo() to get the full list of data/variables set by your
> server. Some here may ask for that info to help you further.

The output from phpinfo() looks perfectly normal and correct. It shows the
expected values for SERVER_NAME and HTTP_HOST.

> Scotty

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179853 is a reply to message #179832] Wed, 12 December 2012 12:11 Go to previous messageGo to next message
Christoph Becker is currently offline  Christoph Becker
Messages: 91
Registered: June 2012
Karma: 0
Member
Tony Marston wrote:
> In order to run this script on my live server the URL should have been
> www.mydomain.com but here you can see it reported as www.yahoo.com. How
> is this possible?

See <http://shiflett.org/blog/2006/mar/server-name-versus-http-host> for
a possible explanation.

--
Christoph M. Becker
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179854 is a reply to message #179853] Wed, 12 December 2012 13:00 Go to previous messageGo to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
"Christoph Becker" wrote in message news:ka9s9b$ul4$1(at)speranza(dot)aioe(dot)org...
>
> Tony Marston wrote:
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this possible?
>
> See <http://shiflett.org/blog/2006/mar/server-name-versus-http-host> for
> a possible explanation.
>

So according to that document it *IS* possible to visit a web site and cause
the value of $_SERVER['SERVER_NAME'] to be something other than what was
typed into the URL. How strange.

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179855 is a reply to message #179835] Wed, 12 December 2012 13:05 Go to previous messageGo to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
"Paul Herber" wrote in message
news:sveec8dfsaseid5mqiv6cb5g3gro9euenn(at)news(dot)eternal-september(dot)org...
>
> On Tue, 11 Dec 2012 05:28:36 -0800, Scott Johnson
> <noonehome(at)chalupasworld(dot)com> wrote:
>
>> On 12/11/2012 2:53 AM, Tony Marston wrote:
>>> I always understood than when activated through a web browser that
>>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>>> name under which the script was being run, but I have come across some
>>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>>> I wondered if this is legitimate or not.
>>>
>>> I have an application which exists on a live server and a test server,
>>> with a different database for each, and they both share a common config
>>> file which identifies which server it is running on so that it can use
>>> the relevant database credentials. If the server name does not match
>>> either of the live or test domain names (such as mydomain.com and
>>> test.mydomain.com) then it uses invalid credentials which causes an
>>> error when attempting to access the database. I never though that this
>>> error would ever appear, but lately I have been getting errors such as
>>> the following:
>>>
>>> Fatal Error: mysqli_connect(): Access denied for user
>>> 'default'@'localhost' (using password: YES).
>>> Error in line 259 of file
>>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>>
>>> PHP_SELF: /index.php
>>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>>> SERVER_ADDR: nnn.nnn.nnn.nnn
>>> SERVER_NAME: www.yahoo.com
>>> HTTP_HOST: www.yahoo.com
>>> REMOTE_ADDR: 109.108.142.236
>>> REQUEST_URI: http://www.yahoo.com/
>>>
>>> In order to run this script on my live server the URL should have been
>>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>>> is this possible?
>>>
>>> Tony Marston
>>>
>>> http://www.tonymarston.net
>>> http://www.radicore.org
>>
>> Not an expert but it sounds that maybe your server/PHP engine is not
>> configured properly.
>>
>> I know REQUEST_URI should NOT be counted on.
>>
>> Who is your host provider?
>>
>> You may try phpinfo() to get the full list of data/variables set by your
>> server. Some here may ask for that info to help you further.
>>
>> Scotty
>
> If this is a script to process a form then be aware that anything can call
> the script
> (including webbots (good and bad), other web pages, anything. All incoming
> information
> could be forged.
>

All my pages include the same config file in order the set the database
connection parameters according to which version of the website is being
used, live or test, but if the server name is not recognised as one of those
two it causes an error. But if this value can be spoofed, how is it possible
to identify, with absolute certainty, the name of the server on which the
application is running?

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179856 is a reply to message #179839] Wed, 12 December 2012 13:10 Go to previous messageGo to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
"M. Strobel" wrote in message news:aip563Ft79lU1(at)mid(dot)uni-berlin(dot)de...
>
> Am 11.12.2012 11:53, schrieb Tony Marston:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under
>> which the script was being run, but I have come across some instances
>> where both
>> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is
>> legitimate
>> or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a
>> different database for each, and they both share a common config file
>> which
>> identifies which server it is running on so that it can use the relevant
>> database
>> credentials. If the server name does not match either of the live or test
>> domain
>> names (such as mydomain.com and test.mydomain.com) then it uses invalid
>> credentials
>> which causes an error when attempting to access the database. I never
>> though that
>> this error would ever appear, but lately I have been getting errors such
>> as the
>> following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using
>> password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this
>> possible?
>
> I can think of several ways:
>
> The client did not use HTTP/1.1 = client request without a hostname
>
> Something like apache mod_rewrite on the server is doing it
>
> any other misconfiguration on the server sites (hopefully temporary)
>
> /Str.

There are no mod_rewrite settings on the server or any other settings which
would cause an error as the site has been is use for some while without
incident, but I am occasionally seeing errors like this because my script
cannot recognise the value in SERVER_NAME. Somebody is trying to access my
site, but somehow they are able to force the value of SERVER_NAME to be
something other than the domain name.

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179857 is a reply to message #179852] Wed, 12 December 2012 13:27 Go to previous messageGo to next message
Scott Johnson is currently offline  Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
Senior Member
On 12/11/2012 11:25 PM, Tony Marston wrote:

>> You may try phpinfo() to get the full list of data/variables set by
>> your server. Some here may ask for that info to help you further.
>
> The output from phpinfo() looks perfectly normal and correct. It shows
> the expected values for SERVER_NAME and HTTP_HOST.
>

If you are getting the right value in SERVER_NAME and HTTP_HOST using
phpinfo() but are then getting a different value when you use the same
variable in your script, then you have an error in your script.

You may somewhere be setting the variables when you think you may be
comparing them.

if(SERVER_NAME = 'blabla')... set

if(SERVER_NAME == 'blabla')... compare
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179858 is a reply to message #179857] Wed, 12 December 2012 17:22 Go to previous messageGo to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
"Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>
> On 12/11/2012 11:25 PM, Tony Marston wrote:
>
>>> You may try phpinfo() to get the full list of data/variables set by
>>> your server. Some here may ask for that info to help you further.
>>
>> The output from phpinfo() looks perfectly normal and correct. It shows
>> the expected values for SERVER_NAME and HTTP_HOST.
>>
>
> If you are getting the right value in SERVER_NAME and HTTP_HOST using
> phpinfo() but are then getting a different value when you use the same
> variable in your script, then you have an error in your script.

These is no error in the script as it runs perfectly for thousands of
requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
$_SERVER['HOST_NAME'] contain values which are different from those which I
expect and which are reported by phpinfo(). It appears that is *IS* possible
for the client to spoof these values, as reported in
http://shiflett.org/blog/2006/mar/server-name-versus-http-host

> You may somewhere be setting the variables when you think you may be
> comparing them.
>
> if(SERVER_NAME = 'blabla')... set
>
> if(SERVER_NAME == 'blabla')... compare
>


--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179859 is a reply to message #179858] Wed, 12 December 2012 18:50 Go to previous messageGo to next message
Daniel Pitts is currently offline  Daniel Pitts
Messages: 68
Registered: May 2012
Karma: 0
Member
On 12/12/12 9:22 AM, Tony Marston wrote:
> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>
>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>
>>>> You may try phpinfo() to get the full list of data/variables set by
>>>> your server. Some here may ask for that info to help you further.
>>>
>>> The output from phpinfo() looks perfectly normal and correct. It shows
>>> the expected values for SERVER_NAME and HTTP_HOST.
>>>
>>
>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>> phpinfo() but are then getting a different value when you use the same
>> variable in your script, then you have an error in your script.
>
> These is no error in the script as it runs perfectly for thousands of
> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
> $_SERVER['HOST_NAME'] contain values which are different from those
> which I expect and which are reported by phpinfo(). It appears that is
> *IS* possible for the client to spoof these values, as reported in
> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>

The way that HTTP works, is that the client connects to the IP address,
and then sends the host name it was trying to connect to as part of the
headers. eg. Host: www.example.com. This allows for many virtual hosts
on a single IP/Port.

What could happen is that someone's DNS is pointing to your IP, and so
you receive a request that was meant for a different URL.
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179860 is a reply to message #179859] Wed, 12 December 2012 19:34 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
On 12/12/12 18:50, Daniel Pitts wrote:
> On 12/12/12 9:22 AM, Tony Marston wrote:
>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>
>>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>
>>>> > You may try phpinfo() to get the full list of data/variables set by
>>>> > your server. Some here may ask for that info to help you further.
>>>>
>>>> The output from phpinfo() looks perfectly normal and correct. It shows
>>>> the expected values for SERVER_NAME and HTTP_HOST.
>>>>
>>>
>>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>> phpinfo() but are then getting a different value when you use the same
>>> variable in your script, then you have an error in your script.
>>
>> These is no error in the script as it runs perfectly for thousands of
>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>> $_SERVER['HOST_NAME'] contain values which are different from those
>> which I expect and which are reported by phpinfo(). It appears that is
>> *IS* possible for the client to spoof these values, as reported in
>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>
>
> The way that HTTP works, is that the client connects to the IP address,
> and then sends the host name it was trying to connect to as part of the
> headers. eg. Host: www.example.com. This allows for many virtual hosts
> on a single IP/Port.
>
> What could happen is that someone's DNS is pointing to your IP, and so
> you receive a request that was meant for a different URL.

all of which can be overcome by setting up the web server to reject or
redirect requests that have the wrong 'host' parameter...

--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179861 is a reply to message #179860] Thu, 13 December 2012 06:52 Go to previous messageGo to next message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma: 0
Member
"The Natural Philosopher" wrote in message
news:kaam8e$n67$1(at)news(dot)albasani(dot)net...
>
> On 12/12/12 18:50, Daniel Pitts wrote:
>> On 12/12/12 9:22 AM, Tony Marston wrote:
>>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>>
>>>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>>
>>>> >> You may try phpinfo() to get the full list of data/variables set by
>>>> >> your server. Some here may ask for that info to help you further.
>>>> >
>>>> > The output from phpinfo() looks perfectly normal and correct. It shows
>>>> > the expected values for SERVER_NAME and HTTP_HOST.
>>>> >
>>>>
>>>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>>> phpinfo() but are then getting a different value when you use the same
>>>> variable in your script, then you have an error in your script.
>>>
>>> These is no error in the script as it runs perfectly for thousands of
>>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>>> $_SERVER['HOST_NAME'] contain values which are different from those
>>> which I expect and which are reported by phpinfo(). It appears that is
>>> *IS* possible for the client to spoof these values, as reported in
>>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>>
>>
>> The way that HTTP works, is that the client connects to the IP address,
>> and then sends the host name it was trying to connect to as part of the
>> headers. eg. Host: www.example.com. This allows for many virtual hosts
>> on a single IP/Port.
>>
>> What could happen is that someone's DNS is pointing to your IP, and so
>> you receive a request that was meant for a different URL.
>
> all of which can be overcome by setting up the web server to reject or
> redirect requests that have the wrong 'host' parameter...

And exactly how might that be done, O Great One?

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179862 is a reply to message #179861] Thu, 13 December 2012 07:02 Go to previous messageGo to next message
Anders Wegge Keller is currently offline  Anders Wegge Keller
Messages: 30
Registered: May 2012
Karma: 0
Member
"Tony Marston" <TonyMarston(at)hotmail(dot)com> writes:

> "The Natural Philosopher" wrote in message

>> all of which can be overcome by setting up the web server to reject
>> or redirect requests that have the wrong 'host' parameter...

> And exactly how might that be done, O Great One?

With name-based virtual hosts, apache will match the name from the
request to the vhost. So setting up a wildcard match to catch requests
for hosts, not explicitliy definded, should match that requirement.

Also, I suspect that the OP has a configuration directive similar to
"<VirtualHost *:80>", for these kind of problems to happen in the
first place.

--
/Wegge

Leder efter redundant peering af dk.*,linux.debian.*
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179863 is a reply to message #179861] Thu, 13 December 2012 11:43 Go to previous message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
On 13/12/12 06:52, Tony Marston wrote:
> "The Natural Philosopher" wrote in message
> news:kaam8e$n67$1(at)news(dot)albasani(dot)net...
>>
>> On 12/12/12 18:50, Daniel Pitts wrote:
>>> On 12/12/12 9:22 AM, Tony Marston wrote:
>>>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>> >
>>>> > On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>> >
>>>> >>> You may try phpinfo() to get the full list of data/variables set by
>>>> >>> your server. Some here may ask for that info to help you further.
>>>> >>
>>>> >> The output from phpinfo() looks perfectly normal and correct. It
>>>> >> shows
>>>> >> the expected values for SERVER_NAME and HTTP_HOST.
>>>> >>
>>>> >
>>>> > If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>>> > phpinfo() but are then getting a different value when you use the same
>>>> > variable in your script, then you have an error in your script.
>>>>
>>>> These is no error in the script as it runs perfectly for thousands of
>>>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>>>> $_SERVER['HOST_NAME'] contain values which are different from those
>>>> which I expect and which are reported by phpinfo(). It appears that is
>>>> *IS* possible for the client to spoof these values, as reported in
>>>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>>>
>>>
>>> The way that HTTP works, is that the client connects to the IP address,
>>> and then sends the host name it was trying to connect to as part of the
>>> headers. eg. Host: www.example.com. This allows for many virtual hosts
>>> on a single IP/Port.
>>>
>>> What could happen is that someone's DNS is pointing to your IP, and so
>>> you receive a request that was meant for a different URL.
>>
>> all of which can be overcome by setting up the web server to reject or
>> redirect requests that have the wrong 'host' parameter...
>
> And exactly how might that be done, O Great One?
>
Read the apache documentation for how apache does virtual servers.

It selects the website based not on IP address but on HOST type commands.

So for apache you create the default site, BUT it simply says 'you must
have got it wrong' because all your VALID sites are in fact 'virtual' ones.

I've got half a dozen sites sharing the same IP address. The default
site is an 'I don't care' one where I stuff photo albums for a quick way
to share pictures with friends. If you go in with host: unset, that's
where you end up.






--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Recommendations for PHP Chart generation?
Next Topic: Printing out or displaying for debugging
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 21 21:42:45 GMT 2024

Total time taken to generate the page: 0.02763 seconds