Hello,
I've noticed some unexpected behaviour regarding Apache on cPanel when manipulating the "Host" HTTP request header.
It would appear that if you perform a HTTP request to Apache when specifying an arbitrary hostname in the "Host" header of which does not match any domain names in any account, Apache will serve you the document root for the first hosting account alphabetically by primary domain name.
Example: You have a WHM server with the following accounts by primary domain name...
What I'd expect to happen is Apache return a 404 error because no account exists claiming to own "www.example.com" (or "example.com"). Instead you'll be served the default web content for "hellothere.net", purely because that's the first account on this server alphabetically. That being said because HTTPS was used you'd really get an SNI error if your real URL request did not go to the first site, in this case "hellothere.net". Now let's try this request:
This will return content from that first hosting account's web content because there is no longer an SNI mismatch.
Is there a setting in WHM to adjust this behaviour, or is it a bug? (Or, hopefully not, the intended behaviour?)
This could technically be exploited as the website on that first account may make use of the HTTP host header for its dynamic route building of absolute URLs, which is common functionality on frameworks such as WordPress, Symfony, and Laravel. They would instead incorrectly use "www.example.com" instead of "www.theia.org" in dynamic HTML output, e.g. image URLs and script URLs because they need to use the HTTP host header for route building.
I've noticed some unexpected behaviour regarding Apache on cPanel when manipulating the "Host" HTTP request header.
It would appear that if you perform a HTTP request to Apache when specifying an arbitrary hostname in the "Host" header of which does not match any domain names in any account, Apache will serve you the document root for the first hosting account alphabetically by primary domain name.
Example: You have a WHM server with the following accounts by primary domain name...
- hellothere.net
- myawesomewebsite.com
- theia.org
Bash:
curl --header "Host: www.example.com" "https://www.theia.org/"
Bash:
curl --header "Host: www.example.com" "https://www.hellothere.net/"
Is there a setting in WHM to adjust this behaviour, or is it a bug? (Or, hopefully not, the intended behaviour?)
This could technically be exploited as the website on that first account may make use of the HTTP host header for its dynamic route building of absolute URLs, which is common functionality on frameworks such as WordPress, Symfony, and Laravel. They would instead incorrectly use "www.example.com" instead of "www.theia.org" in dynamic HTML output, e.g. image URLs and script URLs because they need to use the HTTP host header for route building.