Disallow customers stealing each others wildcard's subdomains, how?

Discussion in 'General' started by John Smith 55, Oct 2, 2015.

  1. John Smith 55

    John Smith 55 New Member

    In the sections Email and Sites, you can pick an arbitrary subdomain, of any of the domain names registered with ISPConfig, as "your" domain name and use it with priority. This just seems to be a major bug to me.

    E.g. customer A has registered the domain CUSTA COM and set it up with DNS and all that on ISPConfig. He reliles on the fact, that WWW CUSTA COM or ANYTHINGGOES CUSTA COM all are served by the wildcard. But instead, it is so that customer B can just come and register WWW CUSTA COM as his "domain" for emails or for his website. And the server will prioritize customer B over customer A with no sense of ownership. E.g. customer B could use the email address mike @ ACCOUNTING CUSTA COM and give off a false sense of identity. Or steal WWW CUSTA COM.

    I mean, this would be a nice feature for some domain that no one uses to provide free subdomains. But otherwise, it can't be good. Especially considering that my server also holds non-paying clients and people who I don't even know their real names of.

    And yes ... anyone can google your nameservers to get a pretty recent and accurate list of domains that run on your server. Just that easy.

    Sorry for the missing dots. The forum software is at fault.
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Enable the Domain-Module?
  3. John Smith 55

    John Smith 55 New Member

    As far as I can see, the domain module entirely disables the users freedom to add domains. This is not what I want at all. I want to disallow "stealing" subdomains from existing domains in the system.

    I have created a snippet for /usr/local/ispconfig/interface/web/sites/web_domain_edit.php and /usr/local/ispconfig/interface/web/mail/mail_domain_edit.php now:

            // CMPQ Domain Ownership check

    $this->dataRecord['domain'] = preg_replace('/[\.\ ]*$/'''$this->dataRecord['domain']);
    $cmpq_tmp = array(); $cmpq_tld preg_match_all('/[a-zA-Z0-9\-\.]+\.[a-zA-Z]+$/'$this->dataRecord['domain'], $cmpq_tmp);
    $this->dataRecord['domain'] = $cmpq_tmp[0][0];; // strip all weird stuff out first
    $cmpq_tld preg_match_all('/[a-zA-Z0-9\-]+\.[a-zA-Z]+$/'$this->dataRecord['domain'], $cmpq_tmp); $cmpq_tld $cmpq_tmp[0][0];
    $cmpq_uid intval($_SESSION["s"]["user"]["userid"]);
    $cmpq_isinsystem false;
    "dns_soa" => "origin""mail_domain" => "domain""web_domain" => "domain") as $cmpq_v => $cmpq_k)
    $cmpq_insystem $app->db->queryOneRecord("SELECT ".$cmpq_k." FROM ".$cmpq_v." WHERE sys_userid != ".$cmpq_uid
    ." AND ".$cmpq_k."='".$app->db->quote($cmpq_tld).($cmpq_k=="domain"?"":".")."';");
    is_bool($cmpq_insystem) && strlen($cmpq_insystem[$cmpq_k]) > 0$cmpq_isinsystem true;
    $cmpq_isinsystem$app->tform->errorMessage .= "ERROR: Top Level Domain is already registered by someone else on this server.<br/>";

    that goes into the function onSubmit() , into the clause if($_SESSION["s"]["user"]["typ"] != 'admin') .
    Last edited: Oct 2, 2015

Share This Page