Current time: 12-24-2024, 10:57 PM Hello There, Guest! (LoginRegister)


Post Reply 
Possible solution for mail hijacking
Author Message
Breaki Offline
Junior Member
*

Posts: 109
Joined: Sep 2007
Reputation: 5
Post: #1
Possible solution for mail hijacking
To force the release of RC3 i try to help you on fixing the open tickets.

I opened this topic here, because i have no write access to the "Security Advisories" section of the board.

I think the best solution for Ticket #573 is to prevent the endusers on adding alias-domains. This should be in the menu of the reseller because most endusers wont have access to a DNS-server to link the new domain alias to the IP of the server. In the most cases the reseller registers the domain and than only he should add the newly registerd (or by a KK) domains to the ispCP system, cause he can check the order of the user, if the domain is available (or free for a KK) or it is already registered by an other person. And if the user registers the domains himself the reseller can also check the ns-section of the NIC.
I can't see any need of this in the enduser section, so lets move it to the reseller panel.

If you give me your Ok to this solution i try to modify the scripts.

Best wishes,

Breaki
09-03-2007 10:52 PM
Visit this user's website Find all posts by this user Quote this message in a reply
rbtux Offline
Moderator
*****
Moderators

Posts: 1,847
Joined: Feb 2007
Reputation: 33
Post: #2
RE: Possible solution for mail hijacking
full ack
09-03-2007 10:56 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #3
RE: Possible solution for mail hijacking
I what I thougt about; I'll disscuss it with malte!
09-04-2007 02:45 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #4
RE: Possible solution for mail hijacking
Hi

This is more or less a variant of what I wrote in the ticket.
Domain aliases (which are the first step to use a new domain in a already existing account) have to pe approved. This can be
- move the whole domain-alias creation to the reseller, or
- create a new "status" for domain aliases: tobeapproved, so a user can add a new domain alias but the engine does not install this into the system unless a reseller give the "ok", or
- at least an automated check at the NIC or similar to find out if it's plausible to accept a new domain alias.

Solution 2 would offer the possibility to use this feature for other things (e.g. making changes in the DNS - I hope we'll have a DNS manager in the future...)

/Joximu
09-04-2007 08:20 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #5
RE: Possible solution for mail hijacking
currently I for myself think, that the solution with the new status is the best way.
And it shouldn't be that hard to integrate Wink


A full dns-manager will come - but not in 1.0.
The datamodell is not ready for such things.
I'm currently on the way to create a proposal for a new database layout for the 1.1 .
09-04-2007 08:27 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Breaki Offline
Junior Member
*

Posts: 109
Joined: Sep 2007
Reputation: 5
Post: #6
RE: Possible solution for mail hijacking
hm... everytime i try to reply i get an error (500) ...

i also think that solution 2 is the best way to solve this problem, maybe we can add a domain-check (if it's free) in the future at the user-panel (to use this for ordering new domains, which can be handled like ordering hosting-packages).

i will have a look at the code and maybe doing something tomorrow Wink

greetz
09-04-2007 08:33 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #7
RE: Possible solution for mail hijacking
Yes i´m with you. As joximu said we already discuss about it and it is the best way.
Quote:i will have a look at the code and maybe doing something tomorrow
This would be perfect - Thanks!

Greez
09-04-2007 06:59 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #8
RE: Possible solution for mail hijacking
My solution would be:
* deactivate the users possibility to add domains
* possibility to order domains via ticket to reseller (and separate button)
09-05-2007 05:51 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Breaki Offline
Junior Member
*

Posts: 109
Joined: Sep 2007
Reputation: 5
Post: #9
RE: Possible solution for mail hijacking
RatS Wrote:* deactivate the users possibility to add domains
done

RatS Wrote:* possibility to order domains via ticket to reseller (and separate button)
the reseller can activate the domains in his "manage users --> domain alias" section.

i started to modify the code this day and the first steps are done. the only problem is, that i have to learn where which function is in the sources and to check twice that modified code won't break up others.

i will do it - and maybe good Wink

greetz

CHANGES:
- if an alias is set by the client it would be set to "ordered" and not to "toadd" (so it won't be affected by the rqst_mngr)
- edited ispcp_rqst_mngr for added status "ordered"
- changed some reseller gui files for displaying the correct things and no errors
- written the scripts for activating the ordered alias and deleting the order if it was wrong
- edited the ispcp_debugger.php so it won't dispaly any error of the alias-status "ordered"
TODO:
- changing the client gui files (tomorrow)
(This post was last modified: 09-06-2007 01:32 AM by Breaki.)
09-05-2007 06:12 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #10
RE: Possible solution for mail hijacking
I'm preparing a big update to the whole panel right now.
so pls. wait until i've comitted it Wink
then you don't have to rewrite all your code.
09-06-2007 03:02 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 4 Guest(s)