[TYPO3-dev] config.baseURL, lt_basetag and security
Martin Kutschker
masi-no at spam-typo3.org
Sat Sep 26 16:47:36 CEST 2009
Ernesto Baschny [cron IT] schrieb:
> Marc Wöhlken schrieb:
>
>> In earlier TYPO3 versions (< 4.0?) it was possible to use config.baseURL
>> = 1 to let TYPO3 determine the correct current base url.
>>
>> AFAIK this feature had been disabled for security reasons (XSS?).
>>
>> Yesterday I stumbled over an extension called lt_basetag which does
>> exactly what the above mentioned option did.
>>
>> Is this of concern when thinking in terms of security? Could someone
>> possibly explain why the "old" approach was not safe?
>
> The old approach relied on the $_SERVER["HTTP_HOST"] variable, which
> under certain circumnstances can be manipulated "at will" by an attacker.
>
> This circumnstances are for example when IP-Based VirtualHosting is
> applied (one IP hosts one singe TYPO3 installation) so the webserver
> (Apache) doesn't check or interprets the provider "Host:" from the GET
> requests, but still transfers it to the $_SERVER in PHP variable.
>
> So the attacker could call:
>
> telnet ip-address 80
> ...
> GET / HTTP/1.0
> Host: www.yahoo.com
In such a case the host should be ignored as 1.0 doesn't know about the
Host: header :)
I think it is a good practice not to run a real aite on the default host
of Apache, so only configured name-based virtual hosts are ever reached
via a Host: header.
Masi
More information about the TYPO3-dev
mailing list