To replicate the issue with get_requested_host_name():
1. Install Mahara
2. Find a user ID that doesn't exist yet (like ID 10 on a brand new installation with less than 10 users)
3. On the command line: curl -H "host:cow\"onerror='alert(1)'" -i "http://vegas.wgtn.cat-it.co.nz/mahara/htdocs/user/view.php?id=10"
You'll receive an HTTP 303 See Other response header, and the Location: line will include your arbitrary host string. I can't see how this is directly exploitable... but it could potentially be a building block of some sort for another attack.
To replicate the issue with get_requested_ host_name( ):
1. Install Mahara "onerror= 'alert( 1)'" -i "http:// vegas.wgtn. cat-it. co.nz/mahara/ htdocs/ user/view. php?id= 10"
2. Find a user ID that doesn't exist yet (like ID 10 on a brand new installation with less than 10 users)
3. On the command line: curl -H "host:cow\
You'll receive an HTTP 303 See Other response header, and the Location: line will include your arbitrary host string. I can't see how this is directly exploitable... but it could potentially be a building block of some sort for another attack.