dns-name instead of ip?

  • Resolved WP-Henne

    (@wp-henne)


    4 years, 3 months ago

    Hello,

    nice plugin, for me it would be perfect an more easier while having dyndns-aliases for users – what about checking by dns.name?
    And according to this: including wildcards like “homeoffice*.noip.org” to check “homeoffice1.noip.org”, “homeoffice2.noip.org” …?

    Thank You!

Viewing 1 replies (of 1 total)
  • Plugin Author brijeshk89

    (@brijeshk89)

    Hi,

    We evaluated this feature and our team says this could be insecure for your site.

    In order to determine the DNS record we need to use $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] variables in PHP.

    The $_SERVER[‘HTTP_HOST’] and $_SERVER[‘SERVER_NAME’] variables can be changed by the user by sending a different Host header when accessing the site:

    curl -H “Host: notyourdomain.com” https://yoursite.com/

    Doing that, any URLs that used $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] would use notyourdomain.com.

    So lets say you allow homeoffice1.noip.org to whitelist, some user could access your site by passing the header stating that they are accessing your site from homeoffice1.noip.org

Viewing 1 replies (of 1 total)
  • The topic ‘dns-name instead of ip?’ is closed to new replies.