Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Disable subdomain creation to avoid subdomain Hijack

Haider Ali Khan shared this idea 10 months ago
Under Consideration

Hackers can easily make a subdomain from a domain name which they don't own with the option "I will use my existing domain and update my nameservers". when ordering a hosting package.

I request WHMCS to add some feature that could block/ban subdomain creation when "I will use my existing domain and update my nameservers" option is selected upon hosting orders.

Personally, I am afraid to use the auto-activation system of WHMCS. If I enable auto cPanel creation after payment is received, hackers can make a subdomain buy purchasing a web hosting package from a domain name which they don't own.

Therefore, the subdomain could be abused in many ways.

I am not sure if WHMCS would consider this as a bug or not, but this is a serious security issue for my customers.

Comments (2)

photo
1

Hi there,

Thanks for your suggestion.

The server control panel software should have measures in place preventing such accounts being provisioned. For exmaple the option in cPanel is documented at https://documentation.cpanel.net/display/CKB/How+to+Prevent+cPanel+Users+from+Creating+Certain+Domains

As an immediate solution to block this at the WHMCS level, the ShoppingCartValidateDomain or ShoppingCartValidateCheckout hook points can be used to block domains containing certain strings at the cart.

photo
1

The pages ShoppingCartValidateDomain and ShoppingCartValidateCheckout seem to redirect to a 404, after actually displaying them.