Error: Web domain DOMAIN.TLD exist trying to add a SUB.DOMAIN.TLD

1

Hi everyone,

not sure if this is a “known issue”, I went trough GITHUB and I was not able to find anything similar.

Debian 10 - HST 1.4.1 + Apache + Nginx + MultiPHP

This is the issue I am facing is when i try to add a subdomain, let’s call it SUB.DOMAIN.TLD.
There is another unpriviliged user owning the same DOMAIN.TLD
I never had this issue on previous HESTIA releases.

Steps I am doing :

  1. I point to /add/web/ from hestia as unprivileged user, owner of SUB.DOMAIN.TLD
  2. Insert SUB.DOMANIN.TLD in “domain name” field
  3. Keep “Create DNS zone” and “Enable mail for this domain” unchecked
  4. Press save
  5. Error message : Error: Web domain DOMAIN.TLD exists

The issue here seems that the controller of adding domains in HESTIA is checking for a DOMAIN.TLD match rather then SUB.DOMAIN.TLD

Thank you and sorry if I am duplicating.

1 Like
2

We have added in 1.4.0 a few new policies:

One of them is:

https://docs.hestiacp.com/admin_docs/settings.html#what-does-the-policy-enforce-subdomain-ownership-mean

You can disable via the settings

See: [BUG] Any user can create a subdomain for any domain using the HestiaCP DNS server even for other users. · Issue #1622 · hestiacp/hestiacp · GitHub and CVE-2021-27231 - Hestia Control Panel 1.4.0 and below - Subdomain Takeover - Improper Privilege Management - Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips! for the reason behind it.

2 Likes
3

Perfect, thank you ! :wink:

4

It doesn’t work to me:

ran v-add-web-domain-allow-users USER DOMAIN

gives

Error: web domain DOMAIN doesn't exist

Any tip?

5

If you have user1 → domain.com
and user2 → sub.domain.com

Use v-add-web-domain-allow-users user1 domain.com

2 Likes
6

Ok, thanks for the tip, it works perfectly indeed. Nice job here.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.