Sentora relying too much on Client data
#1
Sentora relying too much on Client data
Hello dear community who are working all day for making a web a better place.

Basically is this: Sentora backend is relying (trusting) too much on frontend data to process requests and others.

Example of that is Email, example:

Create a new email account, but on domain you right click and select another domain which is pointed to your host.

Let's think about this schematics:

User 1's domains: abc.com , cde.com
User 2's domains: hax0r.com

User 2, wanting to sabotage User 1, discover that X domain is abc.com, and wants to create an email there (such as hacked@abc.com or hacked@cde.com), so user inspect element and changes values. Backend doesn't verify if the domain is from the user or not, it just clear the entrance, and the email is created.

There's other examples such as selecting subdomain and others, but it's the same concept.

Cya
Reply
Thanks given by: apinto , TGates
#2
RE: Sentora relying too much on Client data
(06-17-2015, 02:11 AM)Droppy Wrote: Hello dear community who are working all day for making a web a better place.

Basically is this: Sentora backend is relying (trusting) too much on frontend data to process requests and others.

Example of that is Email, example:

Create a new email account, but on domain you right click and select another domain which is pointed to your host.

Let's think about this schematics:

User 1's domains: abc.com , cde.com
User 2's domains: hax0r.com

User 2, wanting to sabotage User 1, discover that X domain is abc.com, and wants to create an email there (such as hacked@abc.com or hacked@cde.com), so user inspect element and changes values. Backend doesn't verify if the domain is from the user or not, it just clear the entrance, and the email is created.

There's other examples such as selecting subdomain and others, but it's the same concept.

Cya

This is true.

Should be fixed.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#3
RE: Sentora relying too much on Client data
Thanks for bringing this to our attention! We will look into it further.
5050 Me.B motters kandrews
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 12 - Module Installs: 102k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by: apinto
#4
RE: Sentora relying too much on Client data
hmmm yep should be checked
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Coldfusion Freelance

10$ free to start your VPS

Reply
Thanks given by:
#5
RE: Sentora relying too much on Client data
The same is true for subdomains.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#6
RE: Sentora relying too much on Client data
Hey all got a pr waiting to do the quick fix for the above listed errors should probably be merge asap.
https://github.com/sentora/sentora-core/pull/174

Elijah
Reply
Thanks given by: apinto
#7
RE: Sentora relying too much on Client data
I have merged the changes, but one of the devs will need to review it again before tagging it Wink
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 12 - Module Installs: 102k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by: apinto
#8
RE: Sentora relying too much on Client data
(06-24-2015, 04:17 AM)TGates Wrote: I have merged the changes, but one of the devs will need to review it again before tagging it Wink


Sweet as!
In the long run I think a fair bit of those modules could be rewritten for better validation and user experience
Reply
Thanks given by:
#9
RE: Sentora relying too much on Client data
One of the devs reviewed this?
[Image: logo2.png]

My being on this forum is all personal and all is done here by me has nothing to with the company Web Improved I work for Smile
Reply
Thanks given by:
#10
RE: Sentora relying too much on Client data
5050 Me.B motters
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 12 - Module Installs: 102k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by:


Possibly Related Threads...
Thread Author Replies Views Last Post
Video How can i install Sentora on my Centos 6 64b vps ? Adam 1 55 Yesterday, 09:40 AM
Last Post: worksmarter
  Sentora 1.0.4-alpha Me.B 5 1,305 11-09-2016, 07:01 PM
Last Post: servtelecom
  SSL support in sentora Me.B 9 2,063 09-16-2016, 04:09 PM
Last Post: Nigel

Forum Jump:


Users browsing this thread: 1 Guest(s)