Everyone can create subdomains!

[mike08]

Hello to all,

I'd like to know how can I prevent people creating subdomain names on behalf of other accounts, let me give you an example:
We will put a situation where to users are set:
User A: damaina.tls
User B: domainb.tls

Now, the normal User A can create subdomain names using the domain name domainb.tls like blog.domainb.tls and as well for the User B.

As long as both domains are pointing to the same server both user are going to be able to create subdomain names on behalf others. is there a way to prevent that? Here is my DNS template for all domain names:

Code: Select all

ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns1%.' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns2%.' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='3' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='4' RECORD='mail' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='5' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='6' RECORD='pop' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='7' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='8' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mail.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='9' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% ?all"' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='10' RECORD='mysql' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'

[Felix]

Heya,

According to my tests, the following is possible (exactly the same results as the OP):
User1 has TLD1 hosted on VESTA
User2 has TLD2 hosted on VESTA

User1 can create and operate normaly subdomain.TLD2
User2 can create and operate normaly subdomain.TLD1

This seems to be a VERY SERIOUS issue! And I don't see a way how to resolve this... :-(

If you have only one user on VestaCP, you don't really care about this, but I don't think VestaCP was created to be a single user Control Panel >.<

[mike08]

Yeah, its really bad because everyone can manage subdomains on behalf others. :(

[KuJoe]

This is an issue with some other control panels also so it's not exclusive to VestaCP. Unfortunately the other control panels have known about it for months and haven't fixed it. I'll see if I can throw something together for VestaCP tonight.

[KuJoe]

Coded a fix for this but it's not perfect. It will not let users add domains if the TLD has two periods in it (like .co.uk, .us.com, .org.au, etc...).

Edit /usr/local/vesta/web/add/web/index.php:

Find:

Code: Select all

    // Set domain name to lowercase and remove www prefix
    $v_domain = preg_replace("/^www\./i", "", $_POST['v_domain']);
    $v_domain = escapeshellarg($v_domain);
    $v_domain = strtolower($v_domain);

Add below:

Code: Select all

   if(substr_count($v_domain, '.') > 1) {
        $parts = explode('.', $v_domain);
        end($parts);
        $domain = prev($parts).'.'.end($parts);
        $domain = substr($domain, 0, -1);
        if(!is_dir('/home/'.$user.'/web/'.$domain)) {
            $_SESSION['error_msg'] = __('You cannot create a subdomain for a domain not already in your account.',$error_msg);
        }
    }

Like I said, not perfect but a temporary fix.

[mike08]

Awesome KuJoe,

Ill give it a try, you are the man, thanks.

[dvgroup.co.in]

I have fixed this. With this code, if user A own domain abc.com then user B would not be able to add xyz.abc.com.

You can read all the details in my blog how I fixed it.

https://dv-hosting.com/blog_detail.php?id=6

[WQYU]

Coded a fix for this but it's not perfect. It will not let users add domains if the TLD has two periods in it (like .co.uk, .us.com, .org.au, etc...).

Edit /usr/local/vesta/web/add/web/index.php:

Find:

Code: Select all

    // Set domain name to lowercase and remove www prefix
    $v_domain = preg_replace("/^www\./i", "", $_POST['v_domain']);
    $v_domain = escapeshellarg($v_domain);
    $v_domain = strtolower($v_domain);

Add below:

Code: Select all

   if(substr_count($v_domain, '.') > 1) {
        $parts = explode('.', $v_domain);
        end($parts);
        $domain = prev($parts).'.'.end($parts);
        $domain = substr($domain, 0, -1);
        if(!is_dir('/home/'.$user.'/web/'.$domain)) {
            $_SESSION['error_msg'] = __('You cannot create a subdomain for a domain not already in your account.',$error_msg);
        }
    }

Like I said, not perfect but a temporary fix.

Question: If you make this change and VistaCP (VCP), does an update with the update basically undo this? Would I have to constantly make this change each and every single time that VCP updates?

[laguaz]

Coded a fix for this but it's not perfect. It will not let users add domains if the TLD has two periods in it (like .co.uk, .us.com, .org.au, etc...).

Edit /usr/local/vesta/web/add/web/index.php:

Find:

Code: Select all

    // Set domain name to lowercase and remove www prefix
    $v_domain = preg_replace("/^www\./i", "", $_POST['v_domain']);
    $v_domain = escapeshellarg($v_domain);
    $v_domain = strtolower($v_domain);

Add below:

Code: Select all

   if(substr_count($v_domain, '.') > 1) {
        $parts = explode('.', $v_domain);
        end($parts);
        $domain = prev($parts).'.'.end($parts);
        $domain = substr($domain, 0, -1);
        if(!is_dir('/home/'.$user.'/web/'.$domain)) {
            $_SESSION['error_msg'] = __('You cannot create a subdomain for a domain not already in your account.',$error_msg);
        }
    }

Like I said, not perfect but a temporary fix.

Question: If you make this change and VistaCP (VCP)y2mate, does an update with the update basically undo this? Would I have to constantly make this change each and every single time that VCP updatestubidy?

Hi there, could someone help with this? I'm facing the same issue and am searching for a solution. If anyone has one, please mention me. Thank you very much.