Prevent Host header attack

Question

I scanned my website whit Acunetix Web Vulnerability Scanner and I got Host Header attack vulnerability.

In description says that I writed

(_SERVER["HTTP_HOST"] in PHP

but i didn't and i don't know how to fix this.

Here is my header of affected file

<?php
    include 'core/init.php';

    if($user->is_loggedin()){
        redirect('index.php');
        exit();
    }

    if($detect->isMobile()){
        redirect('http://m.website.com/prijava.php');
        exit();
    }

    if(isset($_POST['prijava'])){
        $post = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
        if(time() - $user->failTime($post['email']) < 600 && $user->failCount($post['email']) >= 3){
            $err = '<p style="color:red;">Račun vam je zaključan na 10 minuta.</p>';
        }else{          
            if(empty($post['email']) || empty($post['password'])){
                $err = '';
            }elseif($id = $user->prijava($post['email'], $post['password'])){
                if($user->isActive($post['email'])){                    
                    $_SESSION['user'] = $id['id'];
                    $user->resetFail();
                    redirect('index.php');
                    exit();
                }else{
                    $err = '<p style="color:red;">Korisnički račun nije aktiviran.</p>';    
                }           
            }else{
                if($user->checkMail($post['email'])){
                    if($user->storeFail($post['email'])){
                        $err = '<p style="color:red;">Lozinka i email se ne poklapaju.</p>';
                    }
                }else{
                    $err = '<p style="color:red;">Lozinka i email se ne poklapaju.</p>';
                }           
            }
        }       
    }
?>

And html

<head>
    <meta charset="UTF-8">
    <title>Prijava</title>
    <link rel="shortcut icon" href="images/favicon.png" type="image/png">
    <link rel="stylesheet" type="text/css" href="css/sign.css?<?php echo time(); ?>">       
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
</head>

Here is image of Vulnerability description:

To sum up, how can I protect my website, thank you.

Answer 1

There's 2 ways to prevent Host header attacks:

1. Use $_SERVER['SERVER_NAME'] and enforce it at the httpd (Apache, nginx, etc.) configuration level

   What this means is that you should have an explicitly configured virtual host for each domain you serve. Or in other words - don't allow "catch-all" configurations.

2. Check if it matches a whitelist of domains that you serve:

   // Just in case there's more than one ...
   $domains = ['abc.example.com', 'foo.bar.baz'];
   if ( ! in_array($_SERVER['SERVER_NAME'], $domains)) {
       // error
   }
   

Despite what its name implies, unless you followed the first solution, $_SERVER['SERVER_NAME'] will also be populated by the Host header value when PHP runs through a "catch all" configuration.
Thus, they are both equal unless your HTTP server is properly configured, hence why both solutions above refer to $_SERVER['SERVER_NAME'] - it effectively doesn't matter if you use that or $_SERVER['HTTP_HOST'].

Answer 2

This is the code to resolve the host header attack. URL have to be specified.

$allowed_domains = array('yourdomain1', 'yourdomain2', 'yourdomain3');
$default_domain  = 'yourprimedomain';

if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE))
{
    $domain = $_SERVER['HTTP_HOST'];
}
else
{
    $domain = $default_domain;
}

if (! empty($_SERVER['HTTPS']))
{
    $config['base_url'] = 'https://'.$domain;
}
else
{
    $config['base_url'] = 'http://'.$domain;
}

please put this on your header

<base href="<?php echo base_url(); ?>" />

and run test with edit and resend on mozilla or do it with curl.