*** This bug is a security vulnerability *** Private security bug reported:
In PHPDS.inc.php, line 358, in PHPDS->configSession(), we use $_SERVER['HTTP_HOST'] to build the absolute URL, which will later be injected in HTML. In some case this can be a security flaw: http://shiflett.org/blog/2006/mar/server-name-versus-http-host Very tricky but we should look into it. ** Affects: phpdevshell Importance: Undecided Status: New -- You received this bug notification because you are a member of PHPDevShell, which is subscribed to PHPDevShell. https://bugs.launchpad.net/bugs/1202451 Title: Using $_SERVER['HTTP_HOST'] may allow XSS Status in Open Source PHP RAD Framework with UI.: New Bug description: In PHPDS.inc.php, line 358, in PHPDS->configSession(), we use $_SERVER['HTTP_HOST'] to build the absolute URL, which will later be injected in HTML. In some case this can be a security flaw: http://shiflett.org/blog/2006/mar/server-name-versus-http-host Very tricky but we should look into it. To manage notifications about this bug go to: https://bugs.launchpad.net/phpdevshell/+bug/1202451/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~phpdevshell Post to : [email protected] Unsubscribe : https://launchpad.net/~phpdevshell More help : https://help.launchpad.net/ListHelp
