(06-17-2015, 02:11 AM)Droppy Wrote: Hello dear community who are working all day for making a web a better place.
Basically is this: Sentora backend is relying (trusting) too much on frontend data to process requests and others.
Example of that is Email, example:
Create a new email account, but on domain you right click and select another domain which is pointed to your host.
Let's think about this schematics:
User 1's domains: abc.com , cde.com
User 2's domains: hax0r.com
User 2, wanting to sabotage User 1, discover that X domain is abc.com, and wants to create an email there (such as hacked@abc.com or hacked@cde.com), so user inspect element and changes values. Backend doesn't verify if the domain is from the user or not, it just clear the entrance, and the email is created.
There's other examples such as selecting subdomain and others, but it's the same concept.
Cya
This is true.
Should be fixed.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora
Graphic and Web Design. Development.
www.vanguardly.com
[Module] Mail Quota Count | Vagrant Box with Sentora
Graphic and Web Design. Development.
www.vanguardly.com