• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Dont allow a domain in another users account to be created as a sub in another client

A

Amin Taheri

Golden Pleskian
Plesk Certified Professional
So I found out that if clientA has domain.com in their account, clientB can setup host1.domain.com in their account.

Then this client can setup a website, and email, etc and possibly even phish with it.

Typically this wont be a problem unless there is a dns record explicitly set for that host, but lots of registrars include a * (star) record, meaning any non defined host records resolves to X

So a lot of people I have seen just set the * record to the web server so that they dont have to manage DNS for each sub domain they setup.

This then creates the possibility of that problem.

Repro steps (any server, any os, plesk 8.1.1)

Login as clientA account
Add domain.com to the clientA account
Log out as clientA

Login as new clientB account
Add client.domain.com to the client account

Expected result: Should fail as the root sld/tld is used on the server in another account already

Actual result: Succeeds and allows for continuation into setup of redirection or physical hosting. Once done, you can also setup email accounts

According to Plesk support this is a known "feature" - personally I see this as a potential security hole and it would be nice if this behavior was disabled by default with the option to enable it. Currently it is enabled by default with no option to disable.
 
I can think of situations where you would want to allow sub1.domain.com and sub2.domain.com being under different client accounts. Plesk automatically creates A records for subdomains, but if DNS is hosted externally it is of course very tempting to setup wildcard DNS. Tricky...
 
Yes, there are plenty of situations when it may be wanted, but its better security to disallow these types of things by default and allow them to be enabled when needed instead of by default.
 
You must log in or register to reply here.

Similar threads

C
Unable to create A DNS record with underscore in Plesk: The specified domain name is not valid. You need to specify a valid domain name like domain.co
Replies
6
Views
3K
scsa20
scsa20
burnley
Forwarded to devs It is possible to create mail box without triggering 'Create Mailname' event handler
Replies
4
Views
15K
Peter Debik
P
P
Resolved make.com connections to mail account by smtp
Replies
1
Views
1K
pepebe
P
T
Issue Node.js - Domain names not resolved correctly when performing local GET requests during build-time
Replies
1
Views
2K
tacriela
T
T
Issue After moving subscription, users receive message "Your subscription was removed", Cannot create new webspace.
Replies
2
Views
2K
thespark
T
Back
Top