PDA

View Full Version : No domain validation

Tommahawk
13th September 2007, 01:35
ISPConfig does not check for a valid domain. You should add...

if (!preg_match("/^([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $domain_here)) $error = "Please enter a valid domain name";

somewhere. Now the DNS manager folders will not load, I have included a screenshot because it has corrupt the database and it also create folders. e.g

the entry in the dns_isp_dns table

t7v.com | 1 | | 60.241.11.51 |
| 38 | 1016 | /root/Desktop/organised/html/t7v/index.php
t7v.com | 28800 | 7200 | 604800 | 86400 | ns1.ecommsec.com | ns1.ganino.com | admin@/root/Desktop/organised/html/t7v/index.php

1) the folders are created in chroot under pri. folder

2) /root/Desktop/organised/html/t7v/index.php is not a valid domain.

I fixed the issue by deleting 2 references in the database and all is fixed but reseller may be able to expoit the issue and break out of chroot by creating folders.

Need to include the fix

if (!preg_match("/^([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $domain_here)) $error = "Please enter a valid domain name";

when specifying a domain named for a new site.
falko
13th September 2007, 19:40
Thanks for the report. I've added this to our bugtracker.
Tommahawk
17th September 2007, 04:59
I have also noticed that turning client side javascript off in the browser allows for the creation of empty sites (bypasses the javascript alerts). So a few additional PHP lines to backup the javascript also.

Where would the likely candidate file be to add my fix

function web_insert -> ispconfig_isp_web.lib.php -> ignored
function web_insert -> ispconfig_web.lib.php -> ignored

Perhaps line 234 /home/admispconfig/ispconfig/web/multidoc/edit/edit.php
would adding my fix have other impacts?

Note: Javascript validation is handy and efficient but due to its client side nature you also need the fallback validation of pre-processing scripting langauge like php.
till
17th September 2007, 10:47
ISPConfig does server side checks too, have a look at /home/admispconfig/ispconfig/web/multidoc/edit/edit.php, the regex rules are defined in the forms editor, thats why you wont find them in the sources.

We will check the problem as falko pointed out.
till
23rd September 2007, 20:32
Fixed in SVN and the fix will be part of ISPConfig 2.2.17.