subdomain security flaw

[clubhost]

Here's the scenario;

Client "A" owns domain.com

I then have another totally separate client Client "B" that decides to create an account with "clientb.domain.com" even though he has no relation with client "A"

Direct Admin allows it. I should not have to keep a watch on my server to ensure one client is not using other peoples domains.

Is there a way to prevent this security flaw?

 

[smtalk]

Disable DNS management

 

[nobaloney]

Martynas, I'm not sure that helps; user B can still setup a domain called clientb.domain.com.

This has been discussed before on these forums, but I don't see an easy fix, since there are so many legitimate reasons why such accounts may require different usernames, even under different resellers.

I also don't see how it becomes a real rather than a theoretical threat, as the nefarious user B must:

a) know where domain.com is hosted
b) know that's a server running DirectAdmin
c) know which hosting company runs that server
d) pay for an account on that server

I suppose it's possible.

Jeff

 

[smtalk]

Yes, you are right. I didn't think about it. You can limit account to 1 domain then.

 

[littleoak]

That one domain could be the bad subdomain.

There isn't an easy way to prevent this behavior. The only way is to keep track of what domains are being used by whom.

 

[smtalk]

Or add some checks to domain_create_pre.sh Just modify http://help.directadmin.com/item.php?id=203 a bit and you'll have it.

 

[nobaloney]

Martynas, long before I started working on the 'net I taught a college course in systems analysis; I'd thought this out as well. You can't easily program against it because then you can't allow someone WITH the rights to use the subdomain to use it in their own domain account or reseller account.

That's why I wrote:

there are so many legitimate reasons why such accounts may require different usernames, even under different resellers.

Jeff

 

[clubhost]

I would have thought the easiest way to resolve the issue is to have a check made when adding a domain that a higher tiered domain not be under another username, but then have this as an account option to turn it off if need be.

I understand that this all may sound easy and simple, but may involve ramifications I haven't thought of, BUT nonetheless no matter how remote that someone may find out which domains I am hosting, it is still a security flaw that needs attention.

 

[littleoak]

cbservers,

Some of our resellers like to create subdomains of their main domain in a new account so that they can have separate services or SSL certificates for the subdomains. If you limit it so that only one account can create subdomains for a particular domain it would also limit resellers who do this.

 

[urgido]

Or add some checks to domain_create_pre.sh Just modify http://help.directadmin.com/item.php?id=203 a bit and you'll have it.

is this only one solution to doing about this issue?
Regards

 

[jackc]

I wouldn't consider this a security flaw.
what if a user want to sign up multiple accounts and use subdomains under a same domain?
just ban whoever abusing this feature.