1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

subdomain major security flaw found...help needed

Discussion in 'Plesk for Linux - 8.x and Older' started by ppc, Jan 17, 2007.

  1. ppc

    ppc Guest

    I just discovered something on my Plesk 8.1 server:

    I'm the server admin and I host my domain name: mydomain.com. in the Plesk CP.

    I have other "clients". Those clients are allowed to create subdomains.

    The problem is, if the customer wants to, they can go to the add a domain settins in their client CP and insert a subdomain such as support.mydomain.com(yes a sub domain on my domain name) and then they could redirect it to another site or upload their own personal files.

    And obviously, this does not only apply to my websites but any websites on the server.

    This is a huge security issue. Has anyone dealt with this? SWSOFT?
  2. nullsystems

    nullsystems Guest

    Is this on linux, if so, what version, can you give anymore specific details of your system configuration?

    Can you give a step by step guide of how tihs is done, I will try and replicate this.
  3. ppc

    ppc Guest

    Well this is the Plesk 8.1 for Linux forum :) So Yeah, I'm using Plesk 8.1 on Linux. Centos 4.

    Just create a client(make sure to give the client the permission to add a domain). Login as the client. Go to add a domain and input as the domain name, a subdomain for another domain that does not belong to the customer, meaning you could put in stolen.theadminsdomainname.com as the domain name and then you would be able to redirect that sub(domain) or add files and use that other domain name for whatever you want.

    Thanks so much...