1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Host header manipulation

Discussion in 'Resolved Bug Reports' started by Moes, Feb 16, 2016.

  1. Moes

    Moes New Member

    By manipulation of the host header Xenforo loads resources from any host provided by user input. This could be a problem when pages are being cached. A cache poisoning attack might then cause big trouble. Isn't there a fix available for this?

    Thanks in advance
  2. Mike

    Mike XenForo Developer Staff Member

    XenForo doesn't do page caching like that out of the box. This would be site-level URL canonicalization (to ensure the host is always what you expect) and is really something that should be handled outside of XenForo.

    If you have any questions about doing this canonicalization, please associate your account with your license and post in the support forum.

Share This Page