Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Disable subdomain creation to avoid subdomain Hijack

Haider Ali Khan shared this idea 3 months ago
Under Consideration

Hackers can easily make a subdomain from a domain name which they don't own with the option "I will use my existing domain and update my nameservers". when ordering a hosting package.

I request WHMCS to add some feature that could block/ban subdomain creation when "I will use my existing domain and update my nameservers" option is selected upon hosting orders.

Personally, I am afraid to use the auto-activation system of WHMCS. If I enable auto cPanel creation after payment is received, hackers can make a subdomain buy purchasing a web hosting package from a domain name which they don't own.

Therefore, the subdomain could be abused in many ways.

I am not sure if WHMCS would consider this as a bug or not, but this is a serious security issue for my customers.

Comments (1)

photo
1

Hi there,

Thanks for your suggestion.

The server control panel software should have measures in place preventing such accounts being provisioned. For exmaple the option in cPanel is documented at https://documentation.cpanel.net/display/CKB/How+to+Prevent+cPanel+Users+from+Creating+Certain+Domains

As an immediate solution to block this at the WHMCS level, the ShoppingCartValidateDomain or ShoppingCartValidateCheckout hook

points can be used to block domains containing certain strings at the

cart.