Hi Dan
Got it! Sure I will react only to "my" domains, i.e. validate/sanitize HTTP_HOST.
Got it! Sure I will react only to "my" domains, i.e. validate/sanitize HTTP_HOST.
Relieved to know that there are no other simple attacks. I am not worried about sophisticated attacks. This is for a less privileged / less demanding group - and the domain (it'll be sub-domains of a single main domain) won't be mine. Will pass a full danger report to them and get their written OK as a promise not to complain.
From what I saw in my quick test today, this approach will be very valuable to them. Good Karma is never lost.
From what I saw in my quick test today, this approach will be very valuable to them. Good Karma is never lost.