Results 1 to 16 of 16
  1. #1
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276

    plesk security flaw.....help needed

    I just discovered something on my Plesk 8.1 server:

    I'm the server admin and I host my domain name: mydomain.com. in the Plesk CP.

    I have other "clients". Those clients are allowed to create subdomains.

    The problem is, if the customer wants to, they can go to the subdomains settings in their client CP and insert a subdomain such as support.mydomain.com(yes a sub domain on my domain name) and then they could redirect it to another site or upload their own personal files.


    This is a huge security issue. Has anyone delt with this?

  2. #2
    Join Date
    Nov 2006
    Location
    USA
    Posts
    762
    I'd run your company website off of another server, or disallow clients subdomain creation rights.

  3. #3
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by PersonalJihad
    I'd run your company website off of another server, or disallow clients subdomain creation rights.
    The thing is that many customers want and use subdomains.

    Also, its not just my companies website that is affected, it is any domain hosted on the server that is vulnerable.

    I wonder if CPanel has such an issue....

    Thanks

  4. #4
    Join Date
    Jun 2004
    Location
    Ontario Canada
    Posts
    259
    CPanel has the same issue

  5. #5
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by BPrintz
    CPanel has the same issue
    So how do web hosting companies offer sub domains?

  6. #6
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    EDIT: I explained how this flaw works incorrectly. The way a subdomain for a domain name you do not own on the server can be created as follows:

    1. You click "Add a Domain Name" in the plesk CP
    2. You input in the domain name with WWW checked, a sub domain name, ex: hijacked.stolendomain.com

    The problem is that Plesk accepts subdomains in the "add a domain name field". The problem does not lie in the subdomain CP.

    Sorry for not explaining it properly in the OP.

    Any ideas?

  7. #7
    Join Date
    Oct 2004
    Location
    Latvia
    Posts
    105
    1. Monitor domain creations.
    or
    2. Create a script for "Event manager" to handle this issue. You can even delete this kind of subdomains automatically after creation if the domain already hosted on this server (simple SQL request + Plesk shell command).
    or
    3. Wait for complains.

  8. #8
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by GARMTECH
    2. Create a script for "Event manager" to handle this issue. You can even delete this kind of subdomains automatically after creation if the domain already hosted on this server (simple SQL request + Plesk shell command).
    I'm not a programmer, would you be able to tell me how to do this?

    Thanks

  9. #9
    Join Date
    Dec 2006
    Posts
    76
    Quote Originally Posted by GARMTECH
    2. Create a script for "Event manager" to handle this issue. You can even delete this kind of subdomains automatically after creation if the domain already hosted on this server (simple SQL request + Plesk shell command).
    Based on what GARMTECH said, I would assume that plesk stores domain entries in a Sql database. If that's the case, create a cron-job that checks the SQL database for new subdomain entries as domains, and if they exist, delete them.

  10. #10
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by ppc123
    I'm not a programmer, would you be able to tell me how to do this?

    Quote Originally Posted by computerwiz3491
    Based on what GARMTECH said, I would assume that plesk stores domain entries in a MySql database. If that's the case, create a cron-job that checks the MySQL database for new subdomain entries as domains, and if they exist, delete them.
    Uh ya, but as I said im not a programmer so I dont really know how to "create a cron job that checks and deletes them"

  11. #11
    Join Date
    Jul 2002
    Posts
    3,729
    Quote Originally Posted by BPrintz
    CPanel has the same issue
    Got proof of concept for that? I can't get Cpanel to do it.

  12. #12
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by GARMTECH
    1. Monitor domain creations.
    or
    2. Create a script for "Event manager" to handle this issue. You can even delete this kind of subdomains automatically after creation if the domain already hosted on this server (simple SQL request + Plesk shell command).
    or
    3. Wait for complains.
    Does anyone know how to make this script?

  13. #13
    Join Date
    Oct 2004
    Location
    Latvia
    Posts
    105

    * Check Suspect Script (Plesk 7.5-8.1 tested)

    Here is /root/checksuspect.sh script:
    Code:
    #!/bin/sh
    PASSWORD=`cat /etc/psa/.psa.shadow`
    DOMAINS=(`mysql -sN -uadmin -p$PASSWORD --execute="select * from domains;" psa | awk '{ print $3 }'`)
    
    len=${#DOMAINS[*]}
    i=0
    while [ $i -lt $len ]; do
            if [ "`echo $1 | grep -oh .${DOMAINS[$i]}`" = "${DOMAINS[$i]}" ]; then
                    echo "Suspicious domain $1 created in Plesk. Please note that ${DOMAINS[$i]} already exist in Plesk." | mail -s "Suspicios Domain Notification" [email protected]
            fi
            let i++
    done
    You must create this file and then create event action for "Domain Creation" event. Something like "/root/checksuspect.sh <new_domain_name>" (please refer to Event Manager help). I hope this will help.

  14. #14
    Join Date
    Oct 2004
    Location
    Latvia
    Posts
    105

    Post

    Please note that this script produce false positives when client create subdomain as a domain for already registered in Plesk domain name (his own).

    This script just sends e-mail - no other action is taken (domain not deleted), because Plesk shell binaries, as I know, doesn't allow that.

    Script exclusively contributed to WebHostingTalk community only.

  15. #15
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by GARMTECH
    Here is /root/checksuspect.sh script:
    Wow thanks so much!

    So to confirm - this script wont actually delete the subdomain it will just email me when it is created?

    When I setup the "event" what do I put for the command? "/root/checksuspect.sh <new_domain_name>" ??

    If so, what do you mean by "<new_domain_name>" ?

    Thanks again for sharing.

  16. #16
    Join Date
    Oct 2004
    Location
    Latvia
    Posts
    105

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •