I just received multiple Piwigo 2.9.4 update notifications ("Time has come to update your Piwigo...") which contained interesting links such as "http://monster-hack.su/admin.php?page=updates" and  "http://crackcommunity.com/admin.php?page=updates". I confirmed the messages were really sent by my own Piwigo instance located on a whole different URL.

The reason is most likely a combination of the following:

1) My instance can be called by any random hostname by "spoofing" the DNS name (since it's running under a default website which does not explicitly require a specific DNS name)
2) The mail notification functionality utilizes function get_absolute_root_url which in turn uses a HTTP header value from a browser request.

The result is a little discomforting at least. It gives the impression that the instance has been hacked and it's possible to generate phishing emails by repeatedly calling the gallery by made-up hostname. I'm uncertain what's the best approach here, but there are a few possible solutions:

a) Should all administrators simply fix 1) so that the gallery can only be called by specific hostnames?
b) Or should the base url be set in a more static way than deriving it from a browser request (such as explicitly asking for it when installing)?
c) Or is it perhaps best to remove links from the notification messages altogether?
d) ?

Comments welcome :)