Page 1 of 1

Everyone can create subdomains!

Posted: Sat Aug 29, 2015 4:26 pm
by mike08
Hello to all,

I'd like to know how can I prevent people creating subdomain names on behalf of other accounts, let me give you an example:
We will put a situation where to users are set:
User A: damaina.tls
User B: domainb.tls

Now, the normal User A can create subdomain names using the domain name domainb.tls like blog.domainb.tls and as well for the User B.

As long as both domains are pointing to the same server both user are going to be able to create subdomain names on behalf others. is there a way to prevent that? Here is my DNS template for all domain names:

Code: Select all

ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns1%.' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns2%.' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='3' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='4' RECORD='mail' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='5' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='6' RECORD='pop' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='7' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='8' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mail.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='9' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% ?all"' SUSPENDED='no' TIME='%time%' DATE='%date%'
ID='10' RECORD='mysql' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%'

Re: Everyone can create subdomains!

Posted: Fri Sep 11, 2015 9:33 am
by Felix
Heya,

According to my tests, the following is possible (exactly the same results as the OP):
User1 has TLD1 hosted on VESTA
User2 has TLD2 hosted on VESTA

User1 can create and operate normaly subdomain.TLD2
User2 can create and operate normaly subdomain.TLD1

This seems to be a VERY SERIOUS issue! And I don't see a way how to resolve this... :-(

If you have only one user on VestaCP, you don't really care about this, but I don't think VestaCP was created to be a single user Control Panel >.<

Re: Everyone can create subdomains!

Posted: Tue Sep 22, 2015 9:04 pm
by mike08
Yeah, its really bad because everyone can manage subdomains on behalf others. :(

Re: Everyone can create subdomains!

Posted: Sat Sep 26, 2015 7:30 am
by KuJoe
This is an issue with some other control panels also so it's not exclusive to VestaCP. Unfortunately the other control panels have known about it for months and haven't fixed it. I'll see if I can throw something together for VestaCP tonight.

Re: Everyone can create subdomains!

Posted: Sat Sep 26, 2015 8:25 am
by KuJoe
Coded a fix for this but it's not perfect. It will not let users add domains if the TLD has two periods in it (like .co.uk, .us.com, .org.au, etc...).

Edit /usr/local/vesta/web/add/web/index.php:

Find:

Code: Select all

    // Set domain name to lowercase and remove www prefix
    $v_domain = preg_replace("/^www\./i", "", $_POST['v_domain']);
    $v_domain = escapeshellarg($v_domain);
    $v_domain = strtolower($v_domain);
Add below:

Code: Select all

   if(substr_count($v_domain, '.') > 1) {
        $parts = explode('.', $v_domain);
        end($parts);
        $domain = prev($parts).'.'.end($parts);
        $domain = substr($domain, 0, -1);
        if(!is_dir('/home/'.$user.'/web/'.$domain)) {
            $_SESSION['error_msg'] = __('You cannot create a subdomain for a domain not already in your account.',$error_msg);
        }
    }
Like I said, not perfect but a temporary fix.

Re: Everyone can create subdomains!

Posted: Thu Oct 01, 2015 12:25 pm
by mike08
Awesome KuJoe,

Ill give it a try, you are the man, thanks.

Re: Everyone can create subdomains!

Posted: Mon Jan 25, 2021 8:57 am
by dvgroup.co.in
I have fixed this. With this code, if user A own domain abc.com then user B would not be able to add xyz.abc.com.

You can read all the details in my blog how I fixed it.

https://dvgroup.co.in/blog_detail.php?id=6