1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 4:40 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

easy way to hardcode something onto somebody's page

... if they have a <base href=""> tag...

         

londrum

8:19 pm on Aug 5, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



i've just come across something worrying whilst fixing a problem mentioned in another post, and i don't know if i should be worried about it.

i read something at webmasterworld last month which suggested putting a 

<base href="http://www.example.com" />
tag onto every page, containing the full url of the page.

because i use a template system on my site, i included it in the header with a piece of php code... 

<?php 
echo'<base href="http://'.$_SERVER['HTTP_HOST'].''.$_SERVER['REQUEST_URI'].'" />';
?>

when i was going through my logs, i came across a funny url that doesn't exist on my site. it was something like this... 

http://www.example.com/example.html/blah.html

you can see that the actual url should have been 

www.example.com/example.html
, and the extra 
blah.html
on the end probably just came from a wrongly typed link.
when you visited this incorrect url, it still arrived at exactly the same page - so it was nothing to worry about.
but because the 
$_SERVER['REQUEST_URI']
included the extra 
blah.html
, when i looked at the page source, the blah.html had naturally been included in the 
<base href="http://www.example.com/example.html/blah.html" />
tag -- and it was hard-coded onto the page.
and just to make it a bit worse - i happen to cache my dynamically created pages for a few days - so the same thing got served to everyone visiting that page, regardless of whether they came from the incorrect url.

nothing bad happened though.

but now i am wondering... presumably a lot of people write the urls into their <base> tags in a similar way. do you think it could be a security issue? can someone add something onto the end of your url that would harm you if it was hard-coded onto your page?

Habtom

6:22 am on Aug 6, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I wouldn't worry about it.

I don't see any security issues, if you properly validate, escape and clean up any submitted data.

Try ending the base href with a forward slash, and see if it makes a difference in the path problems you mentioned.

Habtom

Habtom

9:39 am on Aug 6, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There is an interesting discusssion going on base href here [webmasterworld.com]

WesleyC

4:02 pm on Aug 6, 2007 (gmt 0)

10+ Year Member



Please note, though, that the HTTP_HOST value actually comes from the user's browser. Someone who knows what they're doing could potentially steal user data by scraping your site, setting up their own (with POST and GET header tracking, as well as cookies), then sending a false HTTP_HOST header to your website (which would then insert this into the base URL).

If you cache this page and send it to your other users, they could potentially enter data (such as passwords or possibly paypal/credit card info), then have their data sent--not to your server, but to the target of the base href + relative href. Iin this case, that's whatever the attacker injected into the HTTP_HOST value.

So, say an attacker notices that your website uses the base tag and gets a bright idea. He notices that the base tag changes occasionally (possibly from non-www. to www., depending on a factor such as type-in traffic), meaning it's being cached. He then notes at about what time of day it changes. It's a long shot, but from there a skilled attacker could definitely penetrate into your system and steal user data. Not only that, but your site would also appear to users to be "broken" for the day.

It might be better just to hardcode your website address, rather than using HTTP_HOST. :) If you're making something redistributable, request the website address once, then store it in a config file--anything to avoid the HTTP_HOST header.

londrum

7:14 pm on Aug 6, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



yup, i reckon you're right. doing it with $_SERVER['HTTP_HOST'] and $_SERVER['REQUEST_URI'] sounds too risky. i am going to hardcode the whole lot, thanks

WesleyC

7:24 pm on Aug 6, 2007 (gmt 0)

10+ Year Member



It is a very remote possibility that anyone would be able to find out all that information and hack your site, I'll freely admit--but it is a possibility; security by obscurity is never the best option available. :)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 4:40 am May 2, 2026