- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Wed, 10 Feb 2010 18:21:58 -0500
- To: Maciej Stachowiak <mjs@apple.com>, Bil Corry <bil@corry.biz>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
On Tue, Feb 9, 2010 at 2:50 PM, Maciej Stachowiak <mjs@apple.com> wrote: > A sever can generally determine the domain name of the host it is running on from the operating system, if it wants to run with zero configuration. That is apparently what Apache does: > > http://httpd.apache.org/docs/1.3/mod/core.html#servername That link says "this may not work reliably, or may not return the preferred hostname." *If* server implementers would be willing to have their servers refuse to work unless explicitly configured or the request host matches reverse DNS/OS hostname, then I agree as a web developer that that would be great. On Wed, Feb 10, 2010 at 4:37 AM, Bil Corry <bil@corry.biz> wrote: > Another threat is an attacker crafting a malicious payload in the Host header, hoping that it gets logged then viewed via a web browser. That's just straight XSS. > And some webapps conditionally show debugging information based on the host header, so that the production hostname has a generic error page and the staging hostname produces a full stack trace. Simply forging the host header allows an attacker to view the full debugging information. I'd be surprised if this were common enough to be worth worrying about.
Received on Wednesday, 10 February 2010 23:22:33 UTC