Closed apintocr closed 9 years ago
iammeat
commented
9 years ago Hi. No other control panel in existence performs this kind of sanity check. It's too hard to confirm the information.
For example, what if the person in question has privacy on their domain, and the domain is owned by "godaddy.com"?
eByte23
commented
9 years ago You don't understand that verification in which is being discussed this is for a user that has added a domain user create manipulate the dropboxes change the value thus allowing them to change what inputs into the data base allowing them to send other peoples emails to them or create a sub domain of someone elses domain under their account.
allebb
commented
9 years ago Yeah i agree, trash this FR!
There are also instances where you may be hosting the site on behalf of the domain owner.
Just my two cents worth :)
~ballen
Sent from my iPhone
On 19 Jun 2015, at 12:39, iammeat notifications@github.com wrote:
Hi. No other control panel in existence performs this kind of sanity check. It's too hard to confirm the information.
For example, what if the person in question has privacy on their domain, and the domain is owned by "godaddy.com"?
— Reply to this email directly or view it on GitHub.
eByte23
commented
9 years ago From memory when I did testing the other day Mailboxes,forwarders,aliases,subdomains and dns modules needed to be fixed. Dns one wasn't to bad but i still was able to get further than I should have been able to.
allebb
commented
9 years ago Hi Elijah,
Unless the code had been removed recently, That verification already exists in Sentora as you can only add mailboxes for domains you've added to the server anyway.
Hope this helps, Bobby
Sent from my iPhone
On 19 Jun 2015, at 13:02, Elijah Bate notifications@github.com wrote:
You don't understand that verification in which is being discussed this is for a user that has added a domain user create manipulate the dropboxes change the value thus allowing them to change what inputs into the data base allowing them to send other peoples emails to them or create a sub domain of someone elses domain under their account.
— Reply to this email directly or view it on GitHub.
eByte23
commented
9 years ago Hi Bobby,
I'll test again but i am pretty sure that when I did it the other day I was able to add someone@example.com by do manipulation and asub.example.com as sub domain etc. with out example.com registered in sentora.
re checking now.... Elijah
eByte23
commented
9 years ago Confirmed. Created user someone@example.com and logged into webmail
Confirmed Alias created admin@facebook.com to desination of an internal account
Confirmed create sub domain asub.example.com -Checked code no validation from post data
allebb
commented
9 years ago Righto, yeah that needs looking at then... Good find!
Sent from my iPhone
On 19 Jun 2015, at 13:14, Elijah Bate notifications@github.com wrote:
Confirmed. Created user someone@example.com and logged into webmail
— Reply to this email directly or view it on GitHub.
eByte23
commented
9 years ago Yep sure does...Yeah I'll do them now while I'm going.
eByte23
commented
9 years ago @5050 @motters @Caffe1neAdd1ct @TGates71
apintocr
commented
9 years ago This has SERIOUS implications and should be marked as critical.
eByte23
commented
9 years ago ? this has been merged now. What do you mean? I should probably close the issue now.
apintocr
commented
9 years ago This also works on FTP with all the issues that brings... I'm working on a HotFix for this.
eByte23
commented
9 years ago Yeah that module needs some work. It has issues.
As pointed on the forums: http://forums.sentora.org/showthread.php?tid=1680&pid=10796