Cache poisoning through http(s) enforcement feature
When requesting a site with another hostname (set to the same IP) and IP based hosting is used, then all links that are enforced to use a different scheme will take this (forged) hostname into account.
Updated by Christian Kuhn about 9 years ago
This is related to the 'shortcut-icon' problem in #20381 and boils down to the fact that we do not have an API in FE to determine a valid domain name.
We have ideas to make for example 'domain records' required somehow, but we must tackle possible server scenarios carefully.
Updated by Christian Kuhn almost 7 years ago
This is related to the 'shortcut-icon' problem in #20381.
Main issue is that _SERVER['HTTP_HOST'] can not be trusted, see
Domain records can not be used as they are restricted to FE, but we must fix this issue in BE and install tool, too.
Discussion during security sprint hh 2013:
We will implement a new config LocalConfiguration ['SYS']['TRUSTED_HOSTS'] parameter (possible regex), that can be set and is used in GeneralUtility::getIndpEnv() (main patch). Default is a "catch-all".
We should push information about this attack vector into the wild.
In the public there should follow further patches to add wizards/install-procedures/report-module/tce-main-domain-record-hooks/more. Their goal is to make the administration of this parameter as convenient as possible.