ISPConfig does not check for a valid domain. You should add... if (!preg_match("/^([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $domain_here)) $error = "Please enter a valid domain name"; somewhere. Now the DNS manager folders will not load, I have included a screenshot because it has corrupt the database and it also create folders. e.g the entry in the dns_isp_dns table t7v.com | 1 | | 60.241.11.51 | | 38 | 1016 | /root/Desktop/organised/html/t7v/index.php t7v.com | 28800 | 7200 | 604800 | 86400 | ns1.ecommsec.com | ns1.ganino.com | admin@/root/Desktop/organised/html/t7v/index.php 1) the folders are created in chroot under pri. folder 2) /root/Desktop/organised/html/t7v/index.php is not a valid domain. I fixed the issue by deleting 2 references in the database and all is fixed but reseller may be able to expoit the issue and break out of chroot by creating folders. Need to include the fix if (!preg_match("/^([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $domain_here)) $error = "Please enter a valid domain name"; when specifying a domain named for a new site.
I have also noticed that turning client side javascript off in the browser allows for the creation of empty sites (bypasses the javascript alerts). So a few additional PHP lines to backup the javascript also. Where would the likely candidate file be to add my fix function web_insert -> ispconfig_isp_web.lib.php -> ignored function web_insert -> ispconfig_web.lib.php -> ignored Perhaps line 234 /home/admispconfig/ispconfig/web/multidoc/edit/edit.php would adding my fix have other impacts? Note: Javascript validation is handy and efficient but due to its client side nature you also need the fallback validation of pre-processing scripting langauge like php.
ISPConfig does server side checks too, have a look at /home/admispconfig/ispconfig/web/multidoc/edit/edit.php, the regex rules are defined in the forms editor, thats why you wont find them in the sources. We will check the problem as falko pointed out.
