diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index fc1e2d83ae961f3199a988f9c362241637e2adb7..171e9d77e3aa9efb7ea9d4a0586bed6de9a8312f 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -347,6 +347,11 @@ function conf_path($require_settings = TRUE, $reset = FALSE) {
   }
 
   $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
+  if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE || strpos($_SERVER['HTTP_HOST'], '\\') !== FALSE) {
+    // A HTTP_HOST containing slashes may be an attack and is invalid.
+    header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
+    exit;
+  }
   $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
   for ($i = count($uri) - 1; $i > 0; $i--) {
     for ($j = count($server); $j > 0; $j--) {