WOW! Did you know that someone can order hosting for a subdomain where the domain already exists and is owned by someone else?

[Vox]

Hi Guys,

I cannot win on this one..... I am going to be pilloried for publicly posting this but my conscience really cannot let this go on "hidden" from the rest of the community. Everyone really needs to be aware of this.

I was stunned but fortunately MaxMind blocked a fraud order from someone who placed an order for hosting using a subdomain of my own domain!!!!!

I have Setup > General Settings > Ordering : Block Existing Domains is ticked

Unfortunately I thought that this would stop this sort of order - but clearly not.

Anyone can place an order in your WHMCS install for a subdomain of an existing domain on your system.

So if you are hosting your WHMCS install on your own domain of mydomain.com anyone can place a valid order and be setup for a subdomain of scammers.mydomain.com... So do not go to sleep and check every order as it comes in. This also applies to every client you have registered with you.

This is apparently the "intended behaviour" of WHMCS as it allows people to sell "subdomain" hosting.

Below is the code for a hook which will stop this working as long as there is an active product/service on your install. Please feel free to improve/enhance this and distribute as freely as possible:

<?php
/**
 *
 *
 * @package     WHMCS
 * @author      WHMCS Chance
 * @copyright   Copyright (c) WHMCS Limited 2005-2017
 * @license     https://www.whmcs.com/license WHMCS Eula
 * @link        https://www.whmcs.com/
 */

if (!defined('WHMCS')) {
    die('This hook should not be run directly');
}

use WHMCS\Database\Capsule;

add_hook('ShoppingCartValidateDomain', 1, function($vars) {
    if ($vars['domainoption'] == 'owndomain') {
        $oldTld = $vars['tld'];
        $newTld = substr($oldTld, 1);

        $checkDomain = Capsule::table('tblhosting')
        ->where('domain', '=', $newTld)
        ->first();

        if (!is_null($checkDomain)) {
            return [
                'Domain Already Exists...Try a different domain!'
            ];
        }
    }
});

 

 

 

[Remitur]

Interesting, but useless for any sc***er.

Follow me:

• i'm a sc***er *, and register the fake.yourdomain.com subdmain, referred as fake subdomain of yourdomain.com of yours
• I (the sc***er) will have full management of DNS of fake.yourdomain.com
• but this DNS management is useless if the guy who manage the DNS of yourdomain.com does not create the appropriate DNS records for fake.yourdomain.com (it may be done in a couple of different ways)

So, what's the end of the story?

• I register fake.yourdomain.com
• when anyone try to ho to fake.yourdomain.com the DNS system forward it to RNAME of *.yourdomain.com ... which, usually, is the root yourdomain.com

This trick is useless if you don't do a DNS poisoning too.
But if you do a DNS poisoning, you don't need a fake subdomain... you can work on the root.

 

Edited November 4, 2017 by Remitur

[Vox]

Hi Remitur,

I made an unfortunate choice of subject heading for this topic which I cannot amend:

register a subdomain should more accurately be described as order hosting for a subdomain where the domain already exists.

So in essence what can occur is:

1. You have an existing domain that has an active service and is hosted on your server (yourdomain.com).

2. I come along and order hosting for a subdomain of that domain (spam.yourdomain.com). If the product is set as active after the first payment is received the account is created on the server and as your DNS records are already pointed at the server my site is now live.

Please go ahead and try to process an order for hosting a subdomain for a domain that already exists on your server.

 

Edited November 4, 2017 by Vox

[Remitur]

This is a security issue which need to be managed web-server-level, because it may be used even without WHMCS involvment.

Example:

• on my web server you have a hosting service for yourdomain.com
• customer Badguy orders a hosting service for badguydomain.com
• the hosting plan of badguydomain.com allows the use of domain aliases
• badguy create an alias for fake.yourdomain.com which redirect somewhere in badguydomain.com...

As you can see, in this drawing WHMCS does not appear... but the issue exists, and it's the same you described.

I guess that control panels (cpanel, Plesk, Directadmin) manage such an issue on their own...