Task #99347: Add HTTP host header injection check to reports module - TYPO3 Core - TYPO3 Forge

Task #99347

Updated by Oliver Hader almost 2 years ago

In case the web server scenario is not properly configured to deny 
 HTTP host header injection, and the trustedHostsPattern is not explic 
 enough, an corresponding check in the reports module will issue 
 an error message like 

 * @HTTP_HOST@ contained unexpected "a0a3aa2f59.random.example.org" 
 * @SERVER_NAME@ contained unexpected "a0a3aa2f59.random.example.org" 

 Using the configuration directive @UseCanonicalName On@ for Apache 
 web server environments mitigates the risk. 

 This is related to a side note in https://typo3.org/security/advisory/typo3-core-sa-2014-001 
 which introduced the @trustedHostsPattern@ configuration.

Back

Project

General

Profile

TYPO3 Core

Task #99347