Things I should know regarding the $_SERVER['HTTP_HOST'] variable?

[Attilitus]

I have developed a lightweight, but very secure, php licensing system using fairly simple methods.

 

My main question is, how reliable is the $_SERVER['HTTP_HOST'] variable? I have dealt with security on all other levels, but I have my doubts as to whether or not using that variable as an authentification method would be completely secure. Are there any known methods for manipulating that value to display something other than the actual domain running the script? If so are there any ways to counteract these efforts, or perhaps a better method of verification?

[Attilitus]

I hate to bump.

[ShogunWarrior]

Yes, they can change it to whatever they want.

For instance, this code (on my machine):

echo $_SERVER['HTTP_HOST'];

$_SERVER['HTTP_HOST'] = 'hahahahaha.com';

echo $_SERVER['HTTP_HOST'];
?>

 

Prints:

localhost 
hahahahaha.com

 

So, it can be changed easily.

[Balmung-San]

In order for them to do something like that though, they'd need to change the server side script. Attilitus wants to know if it's possible on the client side to change that. I'm unsure of this myself, but I believe that data is sent over as part of the headers to the server, so I'm sure it could be changed by doing some packet manipulation.

 

Then again, I might be wrong on that, but that's how I think it's implemented.

[Attilitus]

No this is part of a php script licensing system, so being able to change the variable by modifying server-side script is indeed a problem. The code itself would of course be encrypted but, inclusion would be easily possible.

 

Is there anyway to set the server variable to the proper domain, or perhaps a better means of verifying the information of the server running the file?

 

Thanks in advance!

[ShogunWarrior]

HTTP_HOST is given to PHP by Apache/IIS (the server) so you shouldn't be able to manipulate it on the client side.

 

No this is part of a php script licensing system, so being able to change the variable by modifying server-side script is indeed a problem. The code itself would of course be encrypted but, inclusion would be easily possible.

 

Is there anyway to set the server variable to the proper domain, or perhaps a better means of verifying the information of the server running the file?

 

You _could_ use the Server IP to reverse DNS and get the hostname by then I assume they could change the IP.

 

I briefly tested and changing $_SERVER['HTTP_HOST'] does not affect getenv( 'HTTP_HOST' ); which also returns the host.

[Attilitus]

Hm... So would that be a relatively unfakable method of returning the domain name of the script?

 

Any additional anti-cheating methods would be greatly appreciated too, to prevent the bypassing of an external call-home.

 

edit: I believe that php merely treats the getenv function variables as merely "different" but still modifiable ones. Can someone confirm/deny this?

[ShogunWarrior]

I can't be sure how non-fakable it is because I haven't tested extensively but I think the most secure is to send $_SERVER['HTTP_HOST'], getenv('HTTP_HOST'),IP etc. so you can cover most of the bases.

[Attilitus]

There has got to be some fundamentally unchangable unique "call" that one could make for PHP...

[ShogunWarrior]

Concerning getenv, they may be able to tamper with the date by calling putenv("HTTP_HOST=haha.com") before your script.

[Attilitus]

Hm... so I guess there are no non-tamperable unique-to-server variables in PHP?

 

That is rather disheartening. I guess I will just have to be extra tricky. Is there anyway to "set" the variable to the proper value before running the relavent code though?

[Balmung-San]

You could make it so that your code won't do anything unless they include one of your files before anything else (i.e., do a session_start or header in it), and back up the variable before they have a chance to mess with it. Not sure how well that would work though.

[Attilitus]

Perhaps... if I were to store the variable before including any other files would it be possible to bypass it at all? (eg. would they be able to modify the variables or include code?)

 

Here is an example:

 

<?php

//You get the picture...

$storevariable=SERVER[DOMAIN] ;

 

require_once('./include/non-encryptedinclude.php');

 

Checklicense($storevariable);

 

Main script;

 

?>

[Balmung-San]

If you store it before they can do anything with it, it should be fine.

 

You can do a session_start() (if it makes sense to) in the file you store it in. This will force them to execute it before anything else.

[Attilitus]

Why would it be beneficial to execute a session_start() command?

[Balmung-San]

Usually it's only good if you want to store session variables. However, when you use a session_start() everything else will error out if the session_start() isn't the first thing. So if you place a file with say:

 

<?php

session_start();

//backup variable

?>

 

That will have to execute first, or the page will error out. This will make it so you will always get that backed up.

 

For that matter, you can also store the backed up copy in a session variable just to make use of it, or call a session_end() in the same file.

[ShogunWarrior]

A more graceful way to do what Balmung described:

if( headers_sent() )
{
   die( 'Output sent before protection script.' );
}

[Balmung-San]

Hmm, didn't know about the headers_sent function.

 

At least now I know how to crash with grace.