Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No, there are several $_SERVER variables available to all php applications. The two relevant ones in this case would be HTTP_HOST and SERVER_ADDR, most likely the author of the application was leaking one of those in his application.


But a webserver does not know its external IP, that is the whole confusion. Don't PHP docs say:

'SERVER_NAME' The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.

'HTTP_HOST' Contents of the Host: header from the current request, if there is one.


1.) You're assuming that the script was running on a vhost, we don't know.

2.) Even if the script is running in a vhost, if a listening port is specified but not an IP address the SERVER_NAME will be the IP of whatever the interface the http connection came from was.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: