Just launched a new SaaS app, BuildVue!

BuildVue helps construction companies manage their projects, team, clients, and budgets.

Feedback welcome!

I did a quick write up on the two issues here while I was going through them to further understand the risk http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordp...

For a none PHP guy, does that mean I can put the following in my PHP.ini file (I guess at the top is as good as anywhere) and be safe?

UseCanonicalName = On ServerName = www.mydomain.com

Jesus shit on a stick.

That's two Apache directives, nothing to do with PHP directly. You likely already have the ServerName entry, as 99.9% of apache installs would be using Vhosts these days.

The `UseCanonicalName = On` should be added to your vhost config file, or your global apache config file (e.g. /etc/apache2/apache2.conf on Debian)

So, I' probably one of two people in the world that run PHP on IIS. Does that mean my website is not vulnerable?

Not necessarily. It depends how IIS is configured, I believe it will exhibit the same behaviour (SERVER_NAME is taken from the Host request header) in at least some circumstances, if not all.

See my comment here: https://www.reddit.com/r/netsec/comments/50ggbn/the_dropbox_...