Opened 7 years ago
Closed 7 years ago
#1483849 closed Bugs (fixed)
Insecure HTTP_HOST usage
| Reported by: | blues | Owned by: | |
|---|---|---|---|
| Priority: | 1 - Highest | Milestone: | 0.1-beta2 |
| Component: | Security | Version: | 0.1-beta |
| Severity: | major | Keywords: | |
| Cc: |
Description
From main.inc.php:
/***** try to load host-specific configuration *****/ @include($_SERVER['HTTP_HOST'].'.inc.php');
It's really insecure, because HTTP Host: header is spoofable!
apache does some sanity checks but you can't relly on that. Besides - there is many other http servers.
Change History (5)
comment:1 Changed 7 years ago by blues
- Priority changed from 7 to 10
comment:2 Changed 7 years ago by blues
- Priority changed from 10 to 1
comment:3 Changed 7 years ago by adam
All of the developers on this project are quite busy with other things - if you can, please post a patch or alternative method to avoid this problem.
comment:4 Changed 7 years ago by blues
First of all - I'm not php-programmer...
I'll show some idea of securing that inclusion, which will be quite good...
- loading host-specific configuration file should be on-demand, IMO. That's why some config option should appear, i.e.:
$rcmail_config['include_host_config']=TRUE/FALSE;
Of course - false by default.
- that inclusion should go to some other file, somewhere in "program"
- parsing of $_SERVERHTTP_HOST? can be done in various ways. Obvious way is to make some preg_match with regexp that'll match hostnames only. There can be some static host list (not nice solution) also.
As I said, I'm not php-programer - choice of the Right_Solution(TM) isn't to me. For me commenting-out that inclusion is working...
And this BUG is something what HAS to be fixed. Or roundcube will be software with known security bugs...
comment:5 Changed 7 years ago by thomasb
- Milestone set to 0.1-beta2
- Resolution set to fixed
- Status changed from new to closed
I agree and have changed the way host-specific config files are included as you suggested.

Nobody cares about that?