Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Any user can create a subdomain for any domain using the HestiaCP DNS server even for other users. #1622

Closed
KuJoe opened this issue Feb 15, 2021 · 5 comments
Labels
bug Something isn't working security Issues related to security components

Comments

@KuJoe
Copy link

KuJoe commented Feb 15, 2021

Describe the bug
Any user can create a subdomain for any domain on the server and create content using that domain. The Add Web Domain button does not validate whether or not the domain created is a subdomain for a domain already on the server. If user1 owns domain1.com and uses the nameservers for the HestiaCP server, user2 on the same server can create any subdomain for domain1.com and upload any content they want and act like they own the domain. As long as both users are on the same server and the domain is being managed by the same DNS server. This can be a problem for shared hosting environments. Additionally users can send e-mail from this subdomain which would appear legitimate for most e-mail clients since the SPF and DKIM records would be valid.

To Reproduce
What steps did you take when the issue occured?

  1. Point domain to the HestiaCP server using the nameservers.
  2. Add the TLD to one user using the Add Web Domain.
  3. Add a subdomain of the TLD to another user using the Add Web Domain and check "Create DNS Zone".
  4. View both domains in a browser.

Expected behavior
Throw an error if the user tries to add a subdomain using the Add Web Domain form if the TLD exists for another user (alternatively make a checkbox to enforce this or not).

NOTE: Please do not enforce this for command line and API calls since some shared hosts give out free subdomains. Enforcing this at a user level (i.e. the PHP form) would be a better option.

Operating system:
Ubuntu 20.04 LTS

Hestia Control Panel version:
v1.3.2

Additional context
DirectAdmin has added a checkbox to their settings for this, might be a better solution:
image
(Link to DA feature request for further info: https://www.directadmin.com/features.php?id=925)

For additional reference, here's an old thread from VestaCP with 2 possible solutions (mine being the worst of the 2):
https://forum.vestacp.com/viewtopic.php?f=13&t=9175

@sickcodes
Copy link

Validated all of the above with KuJoe. We have quite a few more concerns specific to Hestia, can someone at HestiaCP reach out privately? https://twitter.com/sickcodes

@ScIT-Raphael
Copy link
Member

@sickcodes please contact us under info@hestiacp.com.

@jaapmarcus jaapmarcus added bug Something isn't working security Issues related to security components labels Feb 15, 2021
@jaapmarcus
Copy link
Member

jaapmarcus commented Feb 28, 2021

We have fixed the issue in #1642

The suggested solve in your PHP script did't work as it allowed adding subdomains under different users via api.
2nd option used an outdated list and wasn't perfect.

Used the "offical" list from https://github.com/publicsuffix/list/blob/master/public_suffix_list.dat

We will update it every Hestia update to the last version. To change v-add-web-domain-allow-users / v-delete-web-domain-allow-users will to allow / disable the security check. For that domain only. To be used for developers / Or any other reason you might...

We will ship the fix together with 1.4.0 after beta testing.

@sickcodes
Copy link

Good idea implanting the fix as optional feature as obviously not all end users need the security enhancements, mainly only those involved with sub-hosting or sub-usership.

I'll do some testing shortly myself and we'll publish the findings :) great work team!

@sickcodes
Copy link

sickcodes commented May 12, 2021

Update:

This issue was assigned CVE-2021-27231 and was fixed in 1.4.0
Advisory:

https://sick.codes/sick-2021-006

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-006.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security Issues related to security components
Projects
None yet
Development

No branches or pull requests

4 participants