DerScanner
Home / Vulnerability Database / PHP : Untrusted HTTP_HOST source
PHP

PHP : Untrusted HTTP_HOST source

Classification

OWASP Top 10 2013
A1-Injection
OWASP ASVS
Validation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
CWE
CWE-1027

Overview

The application uses the HTTP_HOST variable, whose value is derived from the request header. An attacker can replace the value of this variable.

Variable HTTP_HOST returns the contents of the Host header from the current request, if there is one. The value of the variable can be changed by sending a different Host header when accessing the website. The attacker may perform phishing attack or cache poisoning.

References

  1. PHP \(_SERVER\['HTTP_HOST'\] vs. \)_SERVER[‘SERVER_NAME’] - stackoverflow.com
  2. HTTP_HOST and SERVER_NAME Security Issues
  3. OWASP Top 10 2017-A1-Injection
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Untrusted HTTP_HOST source in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt