Possible solution for mail hijacking

[Breaki]

To force the release of RC3 i try to help you on fixing the open tickets.

I opened this topic here, because i have no write access to the "Security Advisories" section of the board.

I think the best solution for Ticket #573 is to prevent the endusers on adding alias-domains. This should be in the menu of the reseller because most endusers wont have access to a DNS-server to link the new domain alias to the IP of the server. In the most cases the reseller registers the domain and than only he should add the newly registerd (or by a KK) domains to the ispCP system, cause he can check the order of the user, if the domain is available (or free for a KK) or it is already registered by an other person. And if the user registers the domains himself the reseller can also check the ns-section of the NIC.
I can't see any need of this in the enduser section, so lets move it to the reseller panel.

If you give me your Ok to this solution i try to modify the scripts.

Best wishes,

Breaki

[rbtux]

full ack

[RatS]

I what I thougt about; I'll disscuss it with malte!

[joximu]

Hi

This is more or less a variant of what I wrote in the ticket.
Domain aliases (which are the first step to use a new domain in a already existing account) have to pe approved. This can be
- move the whole domain-alias creation to the reseller, or
- create a new "status" for domain aliases: tobeapproved, so a user can add a new domain alias but the engine does not install this into the system unless a reseller give the "ok", or
- at least an automated check at the NIC or similar to find out if it's plausible to accept a new domain alias.

Solution 2 would offer the possibility to use this feature for other things (e.g. making changes in the DNS - I hope we'll have a DNS manager in the future...)

/Joximu

[ephigenie]

currently I for myself think, that the solution with the new status is the best way.
And it shouldn't be that hard to integrate


A full dns-manager will come - but not in 1.0.
The datamodell is not ready for such things.
I'm currently on the way to create a proposal for a new database layout for the 1.1 .

[Breaki]

hm... everytime i try to reply i get an error (500) ...

i also think that solution 2 is the best way to solve this problem, maybe we can add a domain-check (if it's free) in the future at the user-panel (to use this for ordering new domains, which can be handled like ordering hosting-packages).

i will have a look at the code and maybe doing something tomorrow

greetz

[BeNe]

Yes i´m with you. As joximu said we already discuss about it and it is the best way.

Quote:i will have a look at the code and maybe doing something tomorrow

This would be perfect - Thanks!

Greez

[RatS]

My solution would be:
* deactivate the users possibility to add domains
* possibility to order domains via ticket to reseller (and separate button)

[Breaki]

RatS Wrote:* deactivate the users possibility to add domains

done

RatS Wrote:* possibility to order domains via ticket to reseller (and separate button)

the reseller can activate the domains in his "manage users --> domain alias" section.

i started to modify the code this day and the first steps are done. the only problem is, that i have to learn where which function is in the sources and to check twice that modified code won't break up others.

i will do it - and maybe good

greetz

CHANGES:
- if an alias is set by the client it would be set to "ordered" and not to "toadd" (so it won't be affected by the rqst_mngr)
- edited ispcp_rqst_mngr for added status "ordered"
- changed some reseller gui files for displaying the correct things and no errors
- written the scripts for activating the ordered alias and deleting the order if it was wrong
- edited the ispcp_debugger.php so it won't dispaly any error of the alias-status "ordered"
TODO:
- changing the client gui files (tomorrow)

[ephigenie]

I'm preparing a big update to the whole panel right now.
so pls. wait until i've comitted it
then you don't have to rewrite all your code.