Insecure HTTP_HOST usage
|Reported by:||blues||Owned by:|
|Priority:||1 - Highest||Milestone:||0.1-beta2|
/***** try to load host-specific configuration *****/ @include($_SERVER['HTTP_HOST'].'.inc.php');
It's really insecure, because HTTP Host: header is spoofable!
apache does some sanity checks but you can't relly on that. Besides - there is many other http servers.