Server easy to make down

Discussion in 'Installation/Configuration' started by Typhon, Jul 20, 2012.

  1. Typhon

    Typhon New Member

    Hello all !
    ISPConfig has a very big problem with SSL and Domain names.
    1-Every one can use every (configured with server DNS) domain with every subdomain, so some one can create a page on for phishing ( doesn't existe it's created by the hacker)
    2-Every one car create a false SSL certificate or making an error when creating it and that's make all the server down (apache...)
    So it's a very big vulnerability :( how to fixe it ?
    Can a Admin fix it in a new ISPConfig version ?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Thats only the case if you dont use the domain module to limit domains. Beside that, a dns zone normally contaisn only the used subdomains, so there should be no unused subdomains in your zones.

    2) This is a known problem of the apache webserver in general and has already been adressed in ISPConfig SVN. You can avoid that by disabling the ssl option for the client. This option can only be nebaled by the client if the site has not ben created by the administrator, so if you create the site as admin for your client as most ISP's do it when a client buys a site, then the admin can doisable the ssl option and the client can not turn it on himself again. Some additional functions to limit the ssl creation by clients get added until the 3.0.5 release.

Share This Page