Comment 4 for bug 1175446

To replicate the issue with get_requested_host_name():

1. Install Mahara
2. Find a user ID that doesn't exist yet (like ID 10 on a brand new installation with less than 10 users)
3. On the command line: curl -H "host:cow\"onerror='alert(1)'" -i "http://vegas.wgtn.cat-it.co.nz/mahara/htdocs/user/view.php?id=10"

You'll receive an HTTP 303 See Other response header, and the Location: line will include your arbitrary host string. I can't see how this is directly exploitable... but it could potentially be a building block of some sort for another attack.