subdomain major security flaw found...help needed

[ppc]

I just discovered something on my Plesk 8.1 server:

I'm the server admin and I host my domain name: mydomain.com. in the Plesk CP.

I have other "clients". Those clients are allowed to create subdomains.

The problem is, if the customer wants to, they can go to the add a domain settins in their client CP and insert a subdomain such as support.mydomain.com(yes a sub domain on my domain name) and then they could redirect it to another site or upload their own personal files.

And obviously, this does not only apply to my websites but any websites on the server.

This is a huge security issue. Has anyone dealt with this? SWSOFT?

 

[nullsystems]

Is this on linux, if so, what version, can you give anymore specific details of your system configuration?

Can you give a step by step guide of how tihs is done, I will try and replicate this.

 

[ppc]

Originally posted by nullsystems
Is this on linux, if so, what version, can you give anymore specific details of your system configuration?

Can you give a step by step guide of how tihs is done, I will try and replicate this.

Well this is the Plesk 8.1 for Linux forum So Yeah, I'm using Plesk 8.1 on Linux. Centos 4.

Just create a client(make sure to give the client the permission to add a domain). Login as the client. Go to add a domain and input as the domain name, a subdomain for another domain that does not belong to the customer, meaning you could put in stolen.theadminsdomainname.com as the domain name and then you would be able to redirect that sub(domain) or add files and use that other domain name for whatever you want.

Thanks so much...