wfitg

Check the conf is using local host

Try changing the host to: localhost

I hate the paypal buttons, however, the Blesta button should at least have "Pay Now" or "Pay Here". or something to that effect included. Leave no doubt in the user's mind.

Go to: /app/views/admin/default/admin_login.pdt
 
remove: 
<p><strong><em><a href="<?php echo $this->base_uri . "login/reset/";?>" id="reset"><?php $this->_("AdminLogin.index.link_resetpassword");?></a></em></strong></p>

I have created task CORE-1453 to address passwords in the Account Registration email. We personally do not include passwords in our account registration email. It's generally a bad idea to do this, and it should not be included by default. This will affect new installations only.
 
The separate issue about rotating the email log is open to further discussion. Personally, we prefer to keep an entire history of email with the customer. I personally check email logs often, especially if there is a dispute. But, we understand that the log could become quite large, so an option to truncate the log which is not enabled by default may be a good option.

Yeah it's possible to encrypt it, passwords should never be there in the first place though. There are built in ways in MySQL to compress the data, that might be a good idea although depending which method is used it could prevent full text search.

I'll +1 that password shouldn't be included by default however you can add it in if you wish. As for the email rotate I'm going to -1 that since a customer will probably go well you didn't email me that before... Yes we did!

Very happy with it so far!
Can't wait for a few more features and it's going to be the blest-around!

I love it, and it's amazing as usual roll on 3.4

For you all
 
We are developping an native APP for Android/iPhone/Windows Mobile to store localy on the device all sencetive data, and we are trying to implement some of the best encryption metods, and also a 2 factor autentication, in the case of the device is stollen
 
The best part, is all local, encrypted and with two factor autentication (we are thinking on Face Recognition + Touch Puzzle or Touch Puzzle + Password, after 10 times rong, the data is destroyed) but in this case we will sell the APP but for a very small fee

I'm not a fan of cloud storage of passwords. If the data is compromised, it could potentially be brute forced. It's also possible that a vulnerability in the encryption algorithm might be discovered in the future. I use a password manager, but the data is only stored on my devices. I could be robbed, but A. that's too much work for 1 set of passwords, and B. hackers prefer to work in the comfort of their parents basements.

Absolutely .... But just try to check If there were any failed attempts from the logs.

Good found , that should be encrypted or removed when loged to database .

Yeah you'll have to remove it from the database, we always recommend users to change that when they've installed Blesta to something like
****** [Hidden for security]

I found the rotation settings.
Here is my concern:
The "Welcome Email" sends the user name and password by default. {username} {password} variables.
I have changed that to say
password: "the password you used when signing up"
However, the old email with the user's name and password is being stored in the database in plain text. There is no way to delete it without manually changing the database.

for me is normal . you must increase the memory limit in CSF to 350 or 400Mb .
 
normal just for cronjob , if you have small database with small services/clients/ then this shouldbe some more invistigation .

Could be a mysql Issue: can you check the logs?

I had that Issue once, but for me It was caused by backup attempts that always kept on failing. I believe it's not the cron It'self that's causing the High Memory usage rather that the tasks that failed long running tasks. You can try to check If your back ups are running or set to run, disable them and observe
 

 
You can change php version back and forth just to refresh the Memory usage: (Just a trick i learned during the hard times )

I hate the paypal buttons, however, the Blesta button should at least have "Pay Now" or "Pay Here". or something to that effect included. Leave no doubt in the user's mind.

HSTS has to be configured domain wide, so should only be done via server config, not application specific. I'm not sure many people install only Blesta on their domain.

Yeah, but as we know, hosts don't care, some still run Blesta on PHP 5.2, so it's best to be proactive with these things and help them protect their customers' data.
 
It could be made optional from the settings tab. There could be a new security section where you can enable all these things.
 
Never do it via .htaccess in 2014! ini_set is the way to go.

I meant, what explicitly do you think we should consider? safe mode added in 5.4? What's else? Blesta already uses HTTPOnly. Secure cookies isn't feasible because not everyone forces SSL. That's why I'm asking, specifically, what options you think Blesta should support.

It sounds like everything you want done are things that the host should be doing mainly or are configurations that you can do to the server.

I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it.

Hi,
 
I just get the message back that server and ip were locked.

Yeah, he is busted. What an idiot.
We have too many experienced webmasters, coders, and admins here for a scrpit kiddie to get away with much. An experienced spammer/hacker would not bother with such nonsense as this. They just want to send their spam.
It looks like a deliberate attempt to make the Blesta company look bad.
---------------------
here is an SPF generator if anyone needs it
http://www.spfwizard.net/
Microsoft makes one too:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/