
WordPress 4.8.1 still vulnerable to Host Header Attack - learntopdown
https://learnwebdevelopment.review/article/wordpress-481-still-vulnerable-to-host-header-attack
======
kels
I get where WordPress is coming from by not fixing this issue since it's an
Apache thing. But since Apache's default value causes this to happen I think
the framework should try to protect its users. The normal user that had their
WordPress installed using an application installer on a shared host isn't
going to know about this issue.

~~~
KekDemaga
As mentioned in a previous discussion by calibas, PHP.net has this disclaimer:

"Note: Under Apache 2, you must set UseCanonicalName = On and ServerName.
Otherwise, this value reflects the hostname supplied by the client, which can
be spoofed. It is not safe to rely on this value in security-dependent
contexts."

So it seems to be clearly a Word Press issue.

------
wolfgang42
AKA CVE-2017-8295. Original report on HN 4 months ago, 70 comments:
[https://news.ycombinator.com/item?id=14263252](https://news.ycombinator.com/item?id=14263252)

------
bluetech
Django has an ALLOWED_HOSTS setting, which must be provided even in debug and
test configurations. I'm surprised Wordpress doesn't have a similar setting;
accepting any arbitrary Host can only cause trouble (at least for those
uninformed sites which don't already prevent it at the web server level).

------
davidbhayes
A less inflamed take on the topic I found illuminating:
[https://pagely.com/blog/2017/05/exploitbox-unauthorized-
pass...](https://pagely.com/blog/2017/05/exploitbox-unauthorized-password-
reset-vulnerability-wordpress/)

~~~
fencepost
More informative, but a nightmare to read. Thin gray font on a white
background?

------
mikey_p
This is why Symfony HttpFoundation has the notion of trusted hosts which is
configurable.

------
jtwebman
It is open source so anyone could submit a PR for it though they might get
more help if the drop svn and go with Github.

