Ubuntu 14.04
0.9.8 20
apache, nginx, mysql, bind
Users can create and use subdomains for domains of other clients whose domain zone is hosted on our server.
This is unacceptable.
I was able to reproduce this issue. Ubuntu 16.04 with VESTA 0.9.8 r20
I was also able to obtain a Let's Encrypt SSL certificate for the subdomain!
This situation could lead to serious problems.
I was able to reproduce this on my production servers and a fresh install. Centos 7 & ArchLinux Vesta 0.9.8 r20
Like @ifaist0s I was able to obtain Let's Encrypt SSL certificate for the subdomains.
This is a severe issue, even more with the possibility of getting a valid SSL certificate for the subdomain.
This makes not admin user can create a subdomain in main domain.
I'm really disappointed to see that such a security issue was closed by the maintainer. Dismissing such an issue so easily, unfortunately marks VESPA CP as a LAB/Testing Software, not suitable for hosting/production use.
Alas if anyone could get _support.vestacp.com,_ or _billing.vestacp.com,_ by only hosting it on the same server as _vestacp.com_.
I have lot of servers running on vestacp with lot of custimisations and scripts made just for it.
Time to do a fork just to repair this (or at least be able to disable it).
Most helpful comment
I'm really disappointed to see that such a security issue was closed by the maintainer. Dismissing such an issue so easily, unfortunately marks VESPA CP as a LAB/Testing Software, not suitable for hosting/production use.
Alas if anyone could get _support.vestacp.com,_ or _billing.vestacp.com,_ by only hosting it on the same server as _vestacp.com_.