Blog Sections Open
Investigating site_url Poisoning Through HTTP_HOST Manipulation
What to do when `[(site_url)]` starts resolving to a foreign domain and the manager begins showing CSRF warnings after a host-header style attack.
If https://evo.im/ suddenly points to an чужий domain and the manager starts warning about a possible CSRF attempt, treat it as a security incident first, not a configuration annoyance.
The original case strongly suggested host-header style manipulation: request data influenced the computed site URL, and that poisoned links and manager behavior.
Immediate response
- verify the configured host and base URL values,
- review request-handling code that trusts
HTTP_HOSTblindly, - check whether reverse-proxy or server config is normalizing the host header,
- audit recent changes and suspicious traffic before reopening the manager to normal use.
The right long-term fix is to stop treating HTTP_HOST as trustworthy input unless it is explicitly validated. If the application builds canonical URLs from untrusted headers, attackers can poison links, break admin sessions, and create confusing CSRF side effects.
Once a site has shown this behavior, assume the request boundary needs hardening, not just one config value correction.
Why Raw mail() Scripts Are a Bad Fit for Public Site Forms
A practical security review of simple POST-to-mail scripts and why public forms should use validation, throttling, and safer mail handling instead.
Fixing ImportX Encoding and Field-Mapping Errors on CSV Imports
How to troubleshoot ImportX when CSV files arrive with broken encoding, question marks, or field-mapping errors such as invalid pagetitle.