[wp-hackers] Virtual Multiblog

Computer Guru computerguru at neosmart.net
Mon Nov 26 09:03:39 GMT 2007


What matters is how you configure your web server. If you're using Apache or
IIS and have it set to direct by *exact* host header to a folder of the same
name, you're safe. But if you have a wildcard host (for instance, redirect
all %host%.mydomain.com to wwwroot/%host%/ and if it doesn't match, grab
content from wwwroot/main/) then you're screwed.


On 11/26/07, Kimmo Suominen <kimmo at global-wire.fi> wrote:
>
> It doesn't matter what you have in DNS.  The Host: header in the
> HTTP request doesn't have to match your DNS information.
>
> Best regards,
> + Kimmo
> --
> <A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
>
> On Mon, Nov 26, 2007 at 11:24:47AM +0800, Max wrote:
> > Hello,
> >
> > Thanks a lot.
> >
> > Yes, that's right. If you config your dns as wildcard, you will have
> > security, so I usually don't allow wildcard in dns.
> >
> > Max
> >
> > On Nov 26, 2007 4:03 AM, Andy Skelton <skeltoac at gmail.com> wrote:
> > > On Nov 25, 2007 10:29 AM, Max <maxbear at gmail.com> wrote:
> > > > $table_prefix = ereg_replace('^(www\.)', '', $_SERVER['HTTP_HOST']);
> > > > $table_prefix = ereg_replace('\.', '', $table_prefix);
> > > > $table_prefix = ereg_replace('\-', '', $table_prefix);
> > > > $table_prefix = $table_prefix . '_';
> > >
> > > At first glance, this looks like very unsafe code. It opens the door
> > > to SQL injection attacks via the Host header. Your server may be
> > > configured in a way that protects against it, but your code could be
> > > very insecure on a lot of servers.
> > >
> > > This closes the door:
> > >
> > > $table_prefix = preg_replace('/[^a-z0-9]/', '',
> $_SERVER['HTTP_HOST']);
> > >
> > > Tweak it for your specific needs, but don't let any dangerous
> > > characters into your table names.
> > >
> > > Cheers,
> > > Andy
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/


More information about the wp-hackers mailing list