The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

User allowed to park subdomain of other users domain

Discussion in 'Security' started by WhiteDog, Sep 24, 2011.

  1. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I am actually trying to achieve this, but found a way I think should not be allowed.

    The original problem
    A lot of my new customers are transferring over with existing domains. Before the domain is transferred I want to offer them the possibility to set up and prepare their website. There are 2 solutions to do this: mod_userdir or parking an existing (sub)domain on their account. As mod_userdir as issues with suPHP I choose to do the latter.

    The pretty way
    All I really need is to be able to script parking and unparking domains using the WHM API. See my support for cPanel case 33066.

    The ugly way
    1. change a users feature list to allow parked domains
    2. park the domain using xml-api / API2 Park :: park.
    3. change the feature list again.

    The security issue?
    1. I have the domain temporarydomain.com set up on server A.
    2. temporarydomain.com is synced using DNS Cluster to server B as well.
    3. I create an account with domain transferlater.com and user "happy".
    4. I log on to the cPanel interface on server B with user "happy".
    5. I go into "Parked Domains" and choose to park "happy.temporarydomain.com". This works!

    So in short, I am able to park a subdomain of a domain owned by a user on another server.
    And yes, I have all the relevant settings turned off in "Tweak Settings" in WHM.


    Altough I'm happy with this (workaround for my initial problem) I do feel this is a security issue. If I don't report this, someone else will someday, and my workaround will cease to work anyway at that point :) If this is intended behaviour, fine also :)

    Can someone from cPanel shine some light on this?

    Many thanks!
     
  2. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Hi WhiteDog,

    Thanks for your input on this matter. This issue is being tracked under internal case ID # 45264. A "case" is basically the same thing as a bug report.

    Thanks!
     
  3. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Hello Jeff,

    I also submitted this trough cPanel Support. There i received internal case #53514.

    I do hope this loophole can remain open in some way too as I depend on it for my problem with parking domains.
    Perhaps you can give the request to allow domain parking trough WHM directly a bump? :)
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Case 53514 is not yet addressed. However, case 45264 which was about this being possible even if you disallowed this in Tweak Settings was addressed in 11.31.2.9
     
Loading...

Share This Page