1

Problem: How do I know if a user owns a particular domain name, lets say https://example.com/?

Plan: To varify if a user owns that particular domain, I am planning to ask the user to upload a myFile.txt file with some predefined content to their website's root folder. Then on a button click I will to call https://example.com/myFile.txt and read the file using Php and verify its content.

Questions:

  1. What are the security concerns I need to be worried about while reading a file from an unknown source like that?

  2. Is there a better way to acheive what I am trying to achieve here?

Edit:

For the concerns of it being a file sharing website, we will also do a manual verification and allow only a particular type of websites and none of them are going to be file sharing websites.

Roy
  • 1,939
  • 1
  • 14
  • 21
  • 2
    What stops someone from uploading a file to a server they do not own, such as a file sharing website which keeps the file extension in-tact in the url? For example, [this one](http://m.uploadedit.com/bbtc/1564772060101.txt) that I just uploaded (I promise I don't actually own the uploadedit website). There may be a service that exists that uploads to the root folder of the website (or at least the link appears to be). – GrumpyCrouton Aug 02 '19 at 18:53
  • Why is this tagged sql-injection? That's not really relevant unless you are reading data from this text file and using it in queries, and even then it's not relevant if you are using good security practices. – GrumpyCrouton Aug 02 '19 at 18:57
  • 1
    Just to be clear your plan really only confirms that the user has access to the hosting, not that they control/own the domain. If you need to verify control/ownership of the domain, the TXT record is the way to go. – cOle2 Aug 02 '19 at 18:59

1 Answers1

3

I think the main concern would be with executing anything in that file.

As long as you are simply reading the file and ensuring it's contents a) exist, and b) are what you provided, as well as removing the file immediately after verifying its contents, it appears okay. Except, for users being able to upload files to the top of some domains (for example, every uguu file share clone and private instance), particularly if you are providing a unique file name. This still only allows for users to masquerade as owning domains they don't, but I imagine that could be a problem.

If you were to have them upload a PHP file, and attempted to evaluate it, that would be a huge security hole (eval injection). If you verified the contents, then showed the user the contents without properly sanitizing them first, that could be a huge security hole (XSS). If you were to keep the file, that could be a huge security hole (backdooring). But as long as you're mindful of these problems, I see little problem with this approach.

You may also want to check allow_url_include, as suggested in this answer, though this is less likely to be relevant given you only want to verify the contents. It's possible they could escape the URL and try to get you to load a php:// url, though - worth verifying the domain provided is valid and well-formed as well.

Alternatively: The primary way I see people do this typically is through DNS records. Utilizing dns_record_get you could have the user instead add a TXT line to their DNS records, and verify them in that way with this function to check the data. You want to avoid the same problems, but this is quite the barrier to faking you own a domain, while still being a simple task to complete.

zbee
  • 959
  • 1
  • 7
  • 29
  • We would like the task to be easy so that even a luddite site owner can do it. Is adding a DNS record as easy as uploading a txt file in you root folder using either cPanel or Filezilla? I have never done the former. If yes then I will read up on it and use that method instead. Also we will be doing a round of quick manual verification and discard all the file sharing type websites anyway. So which route would you suggest now? – Roy Aug 02 '19 at 20:12
  • Thanks a lot for taking the time to answer the question. I have marked your answer as correct. – Roy Aug 02 '19 at 20:23
  • @Roy It's not as easy, but when set up through GoDaddy, cloudflare, namecheap, or digitalocean I do know that it is very very straight forward. I don't know your target audience, but particularly if they're developers this should be a straight forward enough task. Either way, the additional complexity does offer some fewer explorations on your end and decreases the likelihood of claiming ownership dramatically, I would think it worthwhile. I appreciate the marking of my answer :) – zbee Aug 02 '19 at 20:29
  • Additionally, if you look at protonmail, gsuite, and most publicly observably keybase, this is a part of each of their domain verification flows, for reference. Finally, adding lines to your DNS is a common enough task that there are many resources out there for accomplishing the task, such that a Luddite could figure it out at very least. – zbee Aug 02 '19 at 20:30