Small domain security issue with ISPC

Discussion in 'Developers' Forum' started by djtremors, Feb 28, 2007.

  1. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Hey all,

    I use wild card domains for testing of new sites even when they don't have the domain registered by using a * in a dns server and then on each developing site I use the real name in the ISPC main part and as a co-domain which works well.

    Besides having an issue where I have 2 resellers using this system and it worked fine before but now suddenly getting a "domain is used by another client" and couldn't figure out why it worked before and now doesn't I stumbled upon a fix which is also a hack.

    ISPconfig doesn't check parameters in the Apache Directives for any non allowed entries and only checks for correctiveness.
    My workaround to my problem was to add "ServerAlias" and ispconfig doesn't complain it's inuse by another client or strip it as not being allowed in the directives.

    As much as this doesn't truely effect much as domains names much also be having DNS entries added and this can't create a DNS, thought it might let you guys realise that domain hogging is possible and also can override someone elses and possibly stop Apache working properly when 1 site is in 2 virtual hosts entries...
  2. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Oh also, this removes the effect of the domain limits. I've got limit of 3 and I've just added 5 domains to the directives which basically override the limit. If a co-domain is used then there's 2 ServerAlias settings and it doens't like it.. but just removing all co-domains and setting them in the Apache Directives you can add as many as you like.

    As you can see below, it's added at the top of the vhost file.
    ServerName www.{custrealsitename}
    DocumentRoot /var/www/web26/web
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.jsp Default.htm default.htm
    ErrorLog /var/www/web26/log/error.log
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont see this as a security problem. Apache directives can be only entered by the admin and the admin is always able to set domain limits to higher values or move domains to another client.

    Clients are not able to do this. And even for resellers this function is deactivated by default.
  4. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Oh crap you are right.. sorry about that.:confused:

    I'm still stumped on how the hell I managed to get different websites using the same co-domain name but now I can't with another domain. i have at least 3-4 sites doing this and now it doesn't allow me to even as admin.
    AFAIK all the sites belong to "admin"...
  5. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Just a followup on this thread and I thought I was going nuts until I went back to working on this server and noticed where I saw this security issue.

    It's not the Clients but the Reseller that can add httpd directives and NOT just the main admin. Resellers can steal other sites if they are higher in order on the vhost list, they can override the vhosts listed below it.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont think that there is a security issue.

    Resellers can not add apache directives if you dont allow it to them. Adding apache directives is disabled by default, but you may enable it in the reseller limits. Please check your reseller limits to makre sure that you did not enable it accidently.
  7. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    I don't think that's a correct solution. Your forcing the resellers to use .htaccess files where there's an easy to use GUI to add necessary additions to the vhost.

    I use apache directives a lot and would not sign up with any provider if i don't have this ability and yet you're saying to switch it off only because ispc doesn't check certain settings that override other sites. That's like adding a co-domain that another customer owns but ispc doesn't checking it.

    I don't get it.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    How shall ISPConfig check that? We would have to implement a complete parser for apache settings. You have currently the ability to enable these or disalke the use of this function in ISPConfig and this is all that we can provide.

    If you want a fine grained security check you will have to do it with the allow override settings from apache and your resellers can put the settings in a .htaccess file.

    ISPConfig is checking this and this a total other level of complexity. It is no problem to check a domain but writing a new parser for the apache config syntax that is really secure is not a trivial task.

    You are free to write a parser for the apache style of config files which is secure and we will add it to ISPConfig.
    Last edited: Apr 9, 2007
  9. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Don't need a serious parser, I'm happy enough to accept a :

    if ( strpos(strtolower($textboxdata),"serveralias ") )

    type if checking for the name which would immediately make it invalid and not allow the changes.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I fear that this is not enough. There are many other things that may be overridden if you are able to enter data directly to the vhost. E.g. php settings, cgi settings, etc.
  11. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Is this even more to the point that if there are admin settings telling that the reseller is not allowed to use (say for example) the PHP Safe mode settings that these should also be checked.
    Another is PHP disabled sites, if all they need to do is add a

    AddType application/x-httpd-php .php .php3 .php4 .php5

    isn't this defeating the purpose of security/privileges? I mean, if I was selling space based on a cheap rate due to the reseller not having any PHP mode and only has static space but they override it by using the directives. Then only stopping that by disabling directives only for them to add it in .htaccess.
    There's got to be some control.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Above you explain exactly why we would need a real parser and why we choosen to deactivate the apache directives box for resellers by default.

    Thats incorrect because zhese directives are disabled for .htaccess files in ISPConfig by default and enabling the apache directives box means that the reseller can go around this builtin limitation.

Share This Page