Vulnerability when adding domains/subdomains

Post Reply
Anonymous777
Posts: 4
Joined: Sun Jun 13, 2021 5:15 pm

There is a problem or possible vulnerability that has been carried over from the main project "VestaCP".
When adding a subdomain, there is no verification that is in charge of verifying if the subdomain that the user wants to create is already in use by another user, for example, the panel domain (admin user) is: domain.com
Any other user can create subdomains using the main domain without problems, the same would happen with any other main domain of any user and that is a problem... Previously HestiaCP had the same problem two years ago but they took into consideration my report in the forum and in the next update they fixed it.

Tags:
User avatar
myVesta
Site Admin
Posts: 928
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 8 times
Been thanked: 6 times

This is as old as VestaCP.
Because there are real reasons why this is and is not an issue.
For example, we deliberately put the forum for myVesta in a separate account, and the main domain is in another account.
Serghey stuck to the story that this is not an issue.

We'll see how we sort this out very soon.
Anonymous777
Posts: 4
Joined: Sun Jun 13, 2021 5:15 pm

myVesta wrote: Wed Jun 07, 2023 6:52 am This is as old as VestaCP.
Because there are real reasons why this is and is not an issue.
For example, we deliberately put the forum for myVesta in a separate account, and the main domain is in another account.
Serghey stuck to the story that this is not an issue.

We'll see how we sort this out very soon.
I currently have acquaintances who want to migrate to MyVestaCP since they have a valid license (I include myself) but this theme is the one that does not allow them to use this beautiful Panel since anyone can create subdomains of main domains that are linked to other users, which The same happens with the main domain of the panel... It would be a good idea to use sqlite to have a local database that would be in /usr/local/hestia/conf/users.db, that database would store the domain along with the username that owns or has added the domain in his account.. If another user wants to add a subdomain of another user's domain, he would check if this user owns the main domain. idea of how HestiaCP was able to solve this detail but I recommend you to see their Github code to implement something similar.
Post Reply