Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 1st January 2013, 18:04
Typhon Typhon is offline
Member
 
Join Date: Dec 2011
Posts: 77
Thanks: 27
Thanked 4 Times in 3 Posts
Default

Quote:
If you use this module, your customers can only select one of the domains the admin creates for them. They cannot free edit the domain-field.You have to re-login after changing this value, to make the changes visible.
You're willing to say that it is not the best way?
A simple check in the database can be avoided this kind of fault who can compromise the security of all the host ?
With this vulnerability everyone can make a phishing page and really realistic and with a guaranteed result
Reply With Quote
Sponsored Links
  #22  
Old 1st January 2013, 18:23
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Please see instructions in post #20 of this thread to enable domain limits. None of your clients will be able to use a domain of another client after you enabled this. Off course the admin has to enter and assign a domain to a client first as the system needs to know which client is owner of which domain. ISPConfig can not know "out of the blue" which client is the owner of which domain. Assigning a domain to a client by a authoritive person (the aministrator) is the only reliable way to do it as ispconfig can not know which relations, contracts etc. define the legal ownership or administration rights of any given domain that exists in the internet.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #23  
Old 1st January 2013, 19:23
Typhon Typhon is offline
Member
 
Join Date: Dec 2011
Posts: 77
Thanks: 27
Thanked 4 Times in 3 Posts
Default

Yes, but this method has many defects :
-It's take too many times to the admin and to the client maybe he needs to deploy its site NOW
-It is the same thing because the admin dont necessarily know that it is the domain of this or this client ... unless if he looks at the whois or contact the customer which will take much more time

I think the problem can be resolved easily and without 1000 lines of code, simply by checking the domain name thanks to a Regex + SQL query and it is done ... like the vast majority of hosts !
Reply With Quote
  #24  
Old 1st January 2013, 19:44
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
Yes, but this method has many defects :
-It's take too many times to the admin and to the client maybe he needs to deploy its site NOW
As a internet service provider, you sell the domains to your customer so you will have to enter them anyway as you have to write your customers invoices etc.

Quote:
-It is the same thing because the admin dont necessarily know that it is the domain of this or this client ... unless if he looks at the whois or contact the customer which will take much more time
Ok,so you say a computer program like isponfig shall be able to read contracts and find the real ownerships and administrations rights for a domain when a human is not able to do this? As administrator, you sold the domain to the custiomer or he ordered the website for this domain on your hosting pagem so you know that he owns the domain.

Quote:
I think the problem can be resolved easily and without 1000 lines of code, simply by checking the domain name thanks to a Regex + SQL query and it is done ... like the vast majority of hosts !
Ok, please show me the regex that validates that the person which is in front of a computer monitor owns the domain name or is authorized by the domain owner of the domain to create is as website or email domain and I will implement it.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #25  
Old 1st January 2013, 20:04
Typhon Typhon is offline
Member
 
Join Date: Dec 2011
Posts: 77
Thanks: 27
Thanked 4 Times in 3 Posts
Default

Quote:
As a internet service provider, you sell the domains to your customer so you will have to enter them anyway as you have to write your customers invoices etc.
We are not all domains provider
Quote:
Ok,so you say a computer program like isponfig shall be able to read contracts and find the real ownerships and administrations rights for a domain when a human is not able to do this? As administrator, you sold the domain to the custiomer or he ordered the website for this domain on your hosting pagem so you know that he owns the domain.
This is not what i said ! You can do a very simple SQL query find there are a another website with the same domain so first come first served.
And no this is not better than a human but it's take less time and it's better when you haven't this option checked.
Quote:
Ok, please show me the regex that validates that the person which is in front of a computer monitor owns the domain name or is authorized by the domain owner of the domain to create is as website or email domain and I will implement it.
This is not wat i said, i said that with a Regex+SQL you can see if a domain is already used IN YOU SERVER, and this is logic no ?
Although this is not what I said, yes there's a regex that it allows you to do this and it is extremely simple regex you can do it in 15 minutes (Okey the script need to download a whois page from a whois provider (XML: HTML or anything else) and you perse it using regex to find the name after this you use a condition and it's done) but this is not what i say to do, what i say to do is to simply check if a domain is already used by another clients if we haven't check the option of limited domain, yeah okey it's not betted than a human but it's fast the same
Reply With Quote
  #26  
Old 1st January 2013, 20:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
This is not what i said ! You can do a very simple SQL query find there are a another website with the same domain so first come first served.
And no this is not better than a human but it's take less time and it's better when you haven't this option checked.
You can not add duplicate domains, so if customer a added domain1.tld as mail domain, customer 2 cannot add it. So if thats all you want, then its already implemented. But it wont solve the phising problems as these problems arise when someone adds a domain which is not used on your server but might be used by other customers to send email to.

Quote:
This is not wat i said, i said that with a Regex+SQL you can see if a domain is already used IN YOU SERVER, and this is logic no ?
Although this is not what I said, yes there's a regex that it allows you to do this and it is extremely simple regex you can do it in 15 minutes (Okey the script need to download a whois page from a whois provider (XML: HTML or anything else) and you perse it using regex to find the name after this you use a condition and it's done) but this is not what i say to do, what i say to do is to simply check if a domain is already used by another clients if we haven't check the option of limited domain, yeah okey it's not betted than a human but it's fast the same
1) You can not access whois data from all domains with a script. E.g. a .de domain requires a captcha and some tld's hide the owner details.
2) The whois data does not always match the client data.
3) Domains can be rented, so the person in the whois is not the person allowed to use it.

So if you reject domains based on whois details, you will get a lot of customer complaints.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #27  
Old 1st January 2013, 20:30
Typhon Typhon is offline
Member
 
Join Date: Dec 2011
Posts: 77
Thanks: 27
Thanked 4 Times in 3 Posts
Default

Quote:
You can not add duplicate domains, so if customer a added domain1.tld as mail domain, customer 2 cannot add it. So if thats all you want, then its already implemented. But it wont solve the phising problems as these problems arise when someone adds a domain which is not used on your server but might be used by other customers to send email to.
Okey, but this is so in every host, so this is not a defect and this is not the problem but the problem is that you can make :
- panel-secure-phishing.yourhoster.com
- panel-secure-phishing.aclient.com
And it's work perfectly with every domain, THIS is what i am talking about

Last edited by Typhon; 1st January 2013 at 20:37.
Reply With Quote
  #28  
Old 1st January 2013, 20:45
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
Okey, but this is so in every host, so this is not a defect and this is not the problem but the problem is that you can make :
- panel-secure-phishing.youhoster.com
- panel-secure-phishing.aclient.com
And it's work perfectly with every domain, THIS is what i am talking about
Thats what we made the domain limits for. I understand that you dont like them but they are the only secure way in securing the server against domain misuse and phising.

Btw, adding a website panel-secure-phishing.youhoster.com might only harm if you work with wildcard dns records which is not recommended anyway. If you dont use wildcard dns, nobody can access this site as the domain owner controls the dns record. If I add google.ocm on my ispconfig server, I will not get any traffic from google as their dns does not point to my server.

There is a feature request for adding a optional simple database match for website domains in the bugtracker for those who dont like the domain limit feature, so you might want to vote for that. But such a database match can never be really secure and customers can use it to block your system by adding e.g. a website "co.uk" which is a valid domain name and no other customer will be able to add a site with mysite.co.uk domain on your server until you removed or renamed the site. So while this check adds some pseudo security, it will case you troubles on the other side.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Typhon (1st January 2013)
  #29  
Old 1st January 2013, 20:57
Typhon Typhon is offline
Member
 
Join Date: Dec 2011
Posts: 77
Thanks: 27
Thanked 4 Times in 3 Posts
Default

Okey
Oh and before I forget, you do a great job, really !
Reply With Quote
The Following 2 Users Say Thank You to Typhon For This Useful Post:
falko (2nd January 2013), till (1st January 2013)
  #30  
Old 1st January 2013, 22:17
mccharlet mccharlet is offline
Senior Member
 
Join Date: Feb 2007
Posts: 242
Thanks: 54
Thanked 9 Times in 6 Posts
 
Default

Hi,

How to remove the "APS installer" menu and the backup tab on the client control panel ?

Best regards
__________________
Thanks
Cédric

Sorry for my english

Hosting : http://www.jheberge.ch
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
All files gone after changing quota to 0 spynode General 17 19th January 2012 14:41
ISPConfig 3.0.3 released till General 52 2nd December 2010 17:24
ISPConfig 3.0.1 released till General 36 29th March 2009 14:30
ISPConfig 3.0.0.6 Beta released till General 38 21st September 2008 19:15
ISPConfig 2.3.3-dev released till General 10 12th March 2008 21:08


All times are GMT +2. The time now is 11:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.