• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Host header manipulation

Moes

New member
#1
By manipulation of the host header Xenforo loads resources from any host provided by user input. This could be a problem when pages are being cached. A cache poisoning attack might then cause big trouble. Isn't there a fix available for this?

Thanks in advance
 

Mike

XenForo developer
Staff member
#2
XenForo doesn't do page caching like that out of the box. This would be site-level URL canonicalization (to ensure the host is always what you expect) and is really something that should be handled outside of XenForo.

If you have any questions about doing this canonicalization, please associate your account with your license and post in the support forum.