Are there any possible problems with using ServerAlias * in an Apache configuration?
One thing I considered: ServerAlias is based on HTTP_HOST in HTTP headers delivered by the client, which can obviously be modified manually by the client. Is there any value that the user could send via the HTTP_HOST which could be harmful/damaging to the server?
Well, there shouldn't be need for that. If none of the other VirtualHosts match the hostname, the server will use the default virtualhost, which is the first virtualhost in the configuration. Therefore the default virtualhost is usually named 000-default; just to become first in /etc/apache2/sites-enabled.
So you can achieve the same outcome by renaming the symlink in sites-enabled to be the first. Or you could make the 000-default to be a redirection to your actual domain.
I don't think there's currently any known vulnerability in Apache that could use just HTTP_HOST. However, it depends on the applications you are running on the default virtualhost, e.g. a PHP script that allows to modify some exploitable variable through HTTP_HOST. Actually by making the 000-default just a redirection you could also prevent that (minor) risk.
No, is the short answer, in my understand. As mentioned by Esa Jokinen Apache itself may not be directly harmed from just using HTTP_HOST it can however create problems for an application running on Apache. From there the possibility of malicious attacks grow exponentially.
After reading this article Practical HTTP Host header attacks one can better understand how HTTP_HOST attacks can occur, and what they might affect. In the article an attack example uses curl to spoof the HTTP_HOST to include extra unintended content. Here's a similar example for connecting to your localhost and saving the output:
curl -H "Host: fakehostPLUS\"onerror='alert(1)'rel='stylesheet'" localhost -o file.html
