Host Header Injection Fix

Descrizione

Enables custom headers for WP email notifications
Also “set it and forget it” security fix for WP < 5.5

Importante

As of WordPress 5.5, this plugin no longer is necessary to fix the host-header security issue reported in Ticket #25239 finally is fixed, and mentioned in this post WordPress 5.5 Beta 4. Thank You WordPress devs!

Is this plugin still useful?

Yes, it enables you to choose the “From”, “Name”, and “Return-Path” headers for all WP notification emails. And for versions of WordPress less than 5.5, this plugin continues to fix the host-header injection security issue.

Caratteristiche

This simple plugin does three things:

1. Sets custom From, Name, and Return-Path for WP notifications
2. Fixes a security vulnerability in WordPress versions < 5.5
3. Fixes a bug where invalid email addresses may be generated (in WordPress versions < 5.5)

Choose from the following options:

• Use WordPress defaults (insecure for WP < 5.5)
• Use “Email Address” from WP General Settings
• Use a custom name and address

Plus there is an option to use the specified From address as the Return-Path header.

Perché?

The security issue fixed by this plugin has been known about since way back in WordPress version 2.3. There has been some talk about fixing, but nothing has been implemented. While the issue does not affect all sites, it does affect a good percentage of them, including some of my own projects. So, not wanting to get hacked, I decided to write my own solution. Hopefully this issue gets fixed in a future version of WordPress, and this plugin will become unnecessary.

As a bonus, setting an explicit From address resolves a long-standing bug whereby an invalid email address is generated under the following conditions:

• A “From” address is not set,
• And the $_SERVER['SERVER_NAME'] is empty

So by explicitly setting a “From” address, we prevent this bug from happening.

Security Issue

What is the security issue addressed by this plugin? Follows is a quick summary. To learn more in-depth, check out the resources linked in the next section.

• WordPress uses $_SERVER['SERVER_NAME'] to set the “From” header in email notifications
• This includes sensitive email notifications like password resets and user registration
• In some cases, an attacker could modify the “From” header and intercept the email
• Using the intercepted email, an attacker could gain access to your site and wreak havoc

More Infos

This security vulnerability is well-known and has been around for a looong time. To learn more, check out these articles:

• WP Core Trac Ticket
• WP Vulnerability Database
• Exploit Box Info
• Even more infos

Privacy

Questo plugin non raccoglie o conserva alcun dato dell’utente. Non imposta alcun cookie e non si collega a nessun servizio di terze parti. Per questo motivo, questo plugin non influisce sulla privacy dell’utente in nessun modo.

Host Header Injection Fix is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.

Supporta lo sviluppo

Sviluppo e mantengo con dedizione questo plugin gratuito per la comunità di WordPress. Puoi dare il tuo contributo facendo una donazione o acquistando uno dei miei libri:

• The Tao of WordPress
• Digging into WordPress
• .htaccess made easy
• WordPress Themes In Depth
• Wizard’s SQL Recipes for WordPress

E/o acquista uno dei miei plugin premium per WordPress:

• BBQ Pro – Firewall super veloce per WordPress
• Blackhole Pro – Blocca automaticamente bot dannosi
• Banhammer Pro – Tieni d’occhio il traffico e allontana i cattivi (blocca gli accessi sospetti)
• GA Google Analytics Pro – Connetti WordPress a Google Analytics
• Head Meta Pro – Meta Tag per WordPress definitivo
• Simple Ajax Chat Pro – Chat room illimitate
• USP Pro – Form front-end illimitati

Links, tweets and likes also appreciated. Thank you! 🙂