• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Subdomain security

V

vic666

New Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
18.0.57 #5
I'm running various web apps on my domain and several sub domains. It seems that one of these apps (based on PHP) had a vulnerability that was exploited. As a consequence, not only the app of that particular (sub) domain was affected but the main domain and all other sub domains, too. Code was injected all over the place and new files have been created, it's a complete mess.

Is there something I can do to establish a better separation of the main domain and its sub domains? It's bad enough when one app gets hacked, but when one hack can affect all other apps on the domain, that's really bad.
 
I think I can answer my own question. Simply don't use the function "Add Subdomain" and instead add a regular domain that actually points to the subdomain.

I guess the only good reason to even use the function "subdomain" is to avoid restrictions in terms of how many domains can be added to a subscription.
 
The only way to avoid this is to have separate subscriptions for each domain. Subdomain or Domain makes no difference. The issue can occur, because all domains and subdomains share the same system user. For that reason scripts can access all paths inside the same subscription. They cannot access paths outside the subscription, so if you separate domains into different subscriptions, you are much safer.
 
Hi Peter, yes, I figured. Just to be clear, when I say "subdomain", I'm referring to the functionality "Add subdomain" in Plesk. As far as I understand, it's not possible to create a subdomain this way and still add it to its own subscription. So, the only way to do this is to "Add new domain", and then enter the name of the subdomain in question, making sure that a new subscription is created.
 
You must log in or register to reply here.

Similar threads

H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
850
HawkSky
H
Azurel
Question Isolating Applications in Plesk – Separation of Owner Privileges and Subdomain Management Across Subscriptions?
Replies
2
Views
272
Azurel
Azurel
M
Question no DNS answer on main domain
Replies
8
Views
993
maennchen1
M
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
517
Raul A.
R
I
Resolved http3 issue with Angular app
Replies
4
Views
882
igorosabel
I
Back
Top