Why is using {{base_url}} in a production server not recommended?

Question

This is for intelectual purposes only, as I am curious.

Searching through google, I cannot find a definite answer to this, so as the subject says, why is it not recommended? What can go wrong?

The only ref I get is about a security warning posted here : http://www.magentocommerce.com/blog/comments/security-update-for-magento-base-url-configuration-value/ which is from a very early version of magento.

It has come to our attention that under very specific conditions there is a security issue in Magento 1.0 through 1.0.19870 that may cause invalid links to be entered into your block cache.

Can someone maybe clarify what / how this worked, and is it still an issue.

TIA

Answer 1

I believe this was the same cache poisoning attack as seen here:

http://seclists.org/fulldisclosure/2011/Feb/123

In short, if you use the default virtual host and {{base_url}} as your site URL, an attacker can send requests to your site with the Host header set to evilsite.com. If they do this and a cache miss happens, then the generated cache would contain links to evilsite.com, and then that would be served out to other clients.

I have spoken to people who have had this attack used against them, so it's definitely in the wild.

For more info on this kind of attack see

http://carlos.bueno.org/2008/06/host-header-injection.html http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

Answer 2

I have no idea and can't imagine at the moment any attack or something based on a not defined base uri. But payment providers, paypal IPN and other backpings come in my mind.

Having said that you want to control your base url, for exampe to avoud duplicated content for search engines. The only thing at the moment I see a problem with is SEO stuff.