is it a vulnerability to redirect to any subdomain? similar to Open Redirect

i found a website that has the parameter post_login_redirect= i can change to any existing and non-exisiting subdomains, but there is no posibility to redirect to another domain. The redirect occurs after the user logs in.

For example:

we have sub.domain.com and we can change to anything if we respect the domain.com. so we can redirect to a.b.c.b.domain.com even if that subdomain doesn’t exist, it will redirect anyway. But we can’t redirect to a.hello.com

This is not an open redirect issue, because we can only redirect to subdomains that we don’t own.

Is there any possibility to chain this or make this a real vulnerability?

NGINX, subdomain using server blocks doesn’t work

I would like to use nginx to redirect user from domain.com:3001 to sub.domain.com. Application on port 3001 is running in docker container, I didn’t add any files in directory sites-available/sites-enabled. I have added two server blocks (vhosts) in my conf.d directory. In server block I set $ upstream and resolver according to record in my /etc/resolv.conf file. The problem is that when I test in browser sub.domain.com every time I receive information that IP address could not be connected with any server (DNS_PROBE_FINISHED_NXDOMAIN) or 50x errors.

However, when I run curl sub.domain.com from the server I receive 200 with index.html response, this doesn’t work when I run the same command from my local PC. Server domain is in private network. Have you any idea what my configuration files lack of?? Maybe there is some issue with the listen port when app is running in docker or maybe there is something wrong with the version of nginx? When I installed nginx there was empty conf.d directory, with no default.conf. I am lost…

Any help will be highly appreciated.

Here is my configuration files: server.conf:

server  {     listen       80;     listen       443 ssl;     server_name  sub.domain.net;      #charset koi8-r;     #access_log  /var/log/nginx/host.access.log  main;      ssl_certificate /etc/nginx/ssl/cer.crt;     ssl_certificate_key /etc/nginx/ssl/private.key;      #set_real_ip_from 127.0.0.1;     #real_ip_header X-Real-IP;     #real_ip_recursive on; #    location / { #        root   /usr/share/nginx/html; #        index  index.html index.htm; #    }      location / {         resolver 10.257.10.4;         set $  upstream https://127.0.0.1:3000;          proxy_pass $  upstream;          proxy_set_header X-Forwarded-Host $  host;         proxy_set_header X-Forwarded-Server $  host;         proxy_set_header X-Forwarded-Proto $  scheme;`enter code here`         proxy_set_header X-Forwarded-For $  proxy_add_x_forwarded_for;         proxy_set_header Host $  host;      #error_page  404              /404.html;     # redirect server error pages to the static page /50x.html     #     error_page   500 502 503 504  /50x.html;     location = /50x.html {         root   /usr/share/nginx/html;     }      # proxy the PHP scripts to Apache listening on 127.0.0.1:80     #     #location ~ \.php$   {     #    proxy_pass   http://127.0.0.1;     #}      # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000     #     #location ~ \.php$   {     #    root           html;     #    fastcgi_pass   127.0.0.1:9000;     #    fastcgi_index  index.php;     #    fastcgi_param  SCRIPT_FILENAME  /scripts$  fastcgi_script_name;     #    include        fastcgi_params;     #}      # deny access to .htaccess files, if Apache's document root     # concurs with nginx's one     #     #location ~ /\.ht {     #    deny  all;     #} }  nginx.conf  #user  nginx; worker_processes  1;  #error_log  /var/log/nginx/error.log; #error_log  /var/log/nginx/error.log  notice; #error_log  /var/log/nginx/error.log  info;  #pid        /var/run/nginx.pid;  include /etc/nginx/modules.conf.d/*.conf;  events {     worker_connections  1024; }   http {     include       mime.types;     default_type  application/octet-stream;      #log_format  main  '$  remote_addr - $  remote_user [$  time_local]     #                  '$  status $  body_bytes_sent "$  http_referer" '     #                  '"$  http_user_agent" "$  http_x_forwarded_for"';      #access_log  /var/log/nginx/access.log  main;      sendfile        on;     #tcp_nopush     on;      #keepalive_timeout  0;     keepalive_timeout  65;      sendfile        on;     #tcp_nopush     on;      #keepalive_timeout  0;     keepalive_timeout  65;     #tcp_nodelay        on;      #gzip  on;     #gzip_disable "MSIE [1-6]\.(?!.*SV1)";      server_tokens off;     include /etc/nginx/conf.d/*.conf; }  # override global parameters e.g. worker_rlimit_nofile include /etc/nginx/*global_params 

;

Does Facebook use any other CDN apart from Akamai? Encountered fbcdn.net subdomain that does not belong to Akamai

I received a notice from my third-party firewall application (Little Snitch) that when I had Facebook open, my browser (Chrome 46.0.2490.80 on El Capitan 10.11.1) was attempting to connect to “scontent.fper1-1.fna.fbcdn.net” and “scontent.fmel1-1.fna.fbcdn.net”. Having never seen these particular variations on the fbcdn domain before despite daily use of Facebook and having used LS for a while, it was a little suspicious to me.

Looking up the IP addresses (150.101.84.17 and 150.101.84.145 respectively) point to Internode, an ISP located in Adelaide, Australia (I live in Australia, but not Adelaide) and AFAIK, Facebook does not use their CDN and I don’t think Internode even provides such services.

But the domain is fbcdn.net. right? And if that’s so, which is legit domain used by Facebook for content/cookies etc, even if the IP addresses don’t resolve to Facebook or Akamai, it should be fine? Nothing suspicious?

Forward GoDaddy subdomain to a different port on the same server (reverse proxy)

So here is the situation: I purchased a domain with GoDaddy (Jbc.ca) GoDaddy forwards to my no-ip domain currently as I have a dynamic IP address (however it does not change that frequently- so I could in theory have it forward directly to my IP address).

Now here is where it gets a little more complicated. I run a web server (Apache) on port 80 which is displayed when you visit (jbc.ca) I also have several other services that run on the same system: Plex- port 32400; Tautulli on port 7777; Ombi on port 5000; Lidarr on port 8686, Remotely Anywhere PC Access on 7000 and a separate Web Server (Microsoft IIS on port 9024).

Currently to access any of these services other than port 80 I have to do as follows: “http://Jbc.ca:Port#” ; so for example to access Ombi I have to type in http://jbc.ca:5000.

What I would like is to have my domain with subdomains for each port- so for example ombi.jbc.ca would in theory load port 5000 on the server, but would display ombi.plex.ca instead of redirecting and exposing the port number. Ra.jbc.ca would load port 7000 and so on…

I have read that this can be done with reverse proxy via apache or nginx (as I am running mamp pro for my main server) as well as IIS, however I have no clue how to accomplish this as to what needs to be changed/added on the server, which server would be best to accomplish this as well as what I’d have to modify on my GoDaddy domain.

Hopefully someone can help as I am totally stumped at this point.

Thanks in advance.

can an attacker exploit my main site from subdomain?

I have an app that was in a folder on my main site’s root directory www.example.com/app which was recently hacked and the entire website was offline because the server load was too high and the database was corrupted somehow.

Now, before I find the exploit in the app I would like to have it back online. Would placing it in a subdomain like app.example.com make any difference? Assuming the attacker will do the same on the new location, is my main site safer?

Cross subdomain PHP security?

I understand there are security risks with regards to cross subdomain session cookie attacks which are covered in other posts. However what about PHP script security?

If a user with subdomain FTP access on a cPanel server uploads a PHP script, can the privacy of other subdomains on the same domain be compromised, eg could the script obtain a file listing from another sub-domain or include files from the parent directory?

FTP access is restricted to the sub-domain directory.

Set DNS for subdomain

Can anyone help, please?

Issue: I use godaddy. I set Active Domain as subdomain (api.domainname.com). In DNS section I set the following records: @ -> 1.2.3.4, api -> 1.2.3.4 and test -> 1.2.3.4.

But now I can open domainname.com and test.domainname.com, but cannot open api.domainname.com (got error DNS_PROBE_FINISHED_NXDOMAIN – api.domainname.com server IP address could not be found.)

The client wants to use top-level domain (domainname.com) for the site, which he created via weebly. All other subdomains should works with godaddy.

Anyone has any thoughts, why I cannot open api.domainname.com. Is it connected to Active Domain?

Thanks!