Security concern regarding subdomains

E

evil_smurf

Verified User
Joined
Mar 3, 2006
Messages
112
I noticed that users who are given the ability to add their own domains onto their account and/or change their own domains can add a subdomain of another users domain as their own domain.

IE, say user Bob with abc123.com and user Fred with abc321.com are present on the box.

Bob can add blah.abc321.com as a domain on his account, even though Fred owns the abc321.com domain.

What security concerns are present here? Obviously Fred wouldn't want Bob to be able to have a subdomain of his account.

What can be done to stop this?
 
Good point. I tested it and it's true that other users can add as a regular domain a subdomain of another user on the same server.
 
Last edited:
I would like admins and resellers to still have the ability to do that, as I make use of this "feature" on many of my customers who just want a subdomain. However, I do not believe users who do not already have that domain under their account should be able to do it. :)
 
This has been discussed previously in these forums.

Search for the discussion ;) .

Jeff
 
Well, searching for anything like this question turns up many, many pages of replies with no subjects really jumping out at me as the one I'm looking for.

Perhaps since you know more about what was said in that particular topic you can point me towards it with a link? ;)
 
The problem is that BIND (the Berkely Internet Named Daemon) allows subdomain zones to work even though they're not referenced in the main zone file. I reported it years ago as a bug in BIND but the folks who write BIND say it's a feature (though it's not part of the RFCs for name service).

I can't think of way DirectAdmin would know who should or shouldn't be allowed to create a subdomain as a domain. If you have any idea how it could be done, then tell us.

Jeff
 
You can have a simple text file of who owns what domains written under the user's data file in /usr/local/directadmin/data/users/username/domains.txt

If a user attempts to create a subdomain of a domain that is already listed in domains.txt for another user, then the person is denied.

=)
 
Last edited:
Which works only if the user creates the subdomain under the same username.

Which, for example, s/he cannot do if s/he needs a dedicated IP# for the subdomain, because it's going to be a secure site. (For example example.com and secure.example.com.)

I believe this has all be discussed previously on these forums.

Jeff
 
You must log in or register to reply here.
Back
Top