wfitg

The thing is this wannabe hacker forgot if someone decoded it he's domain would be there, which then linked to the stupid tweet we know about and then linked to a visible who.is, and a team page which we could google their name...

The -all will reject everything that does not pass. I like to use ~all because I can still get the flagged email. I simply setup a rule to have those flagged emails go to thje flagged folder. Then I can scan through them for any mistaken failures (or someone who simply does not have the records set correctly) and also remember those that are frequent abusers. The frequent ones can be can be blocked on ACL or IP Tables.
I guess whatever works is the answer as long as something is in place to prevent domain spoofing. This will stop many of the script kiddies and wannabe hackers, but a determined spammer will try other methods than spoofing to hijack an email server.

Yeah I think however that only works for fake @domain.com not domain.com@gmail.com we have: DMARC which again like SPF works at ensuring the IP is correct of the sender.
 
v=DMARC1; p=quarantine; pct=50; adkim=strict;
 
but it quarantines fakes, but only 50% of it (This is to ensure real emails don't get effected whilst the inboxes are learning).

Correct. Nothing can stop someone from using domain.com@gmail.com --except for being observant.
I know it does work if someone is trying to spoof the actual domain name. For example, the mail server would bounce an email from sales@blesta.com if: (1)the blesta zone file has an SPF record set and (2)the email is not originating from blesta's email server.
Of course, nothing in life is 100% but I can say that using this has cut down on my domain being spoofed and on the amount of spoofed emails that I receive.
If I had a complany like Blesta I would probaby use the "soft fail" [ "v=spf1 ~all" ] flag so I could still get the email but also be alerted that it may not be coming from the correct server.
The hard fail option is good for invividuals who do not want to get any spoofed mail at all.

Good job PauloV

Wow, that was fast. 

Great timming
We hope next week to release our updated plugins and modules for 3.3

It's like WHM** they and cPanel do a fix and release more information two weeks later so people don't get effected. What the idiot who sent it forgot was Blesta doesn't send emails and they announce what it sort of is and who found it if someone did outside the team.

Thanks for that. As I suspected, it does capture your Blesta URL, Username, and Password.

File decoded
I have sent u a PM on this forum
I have detected the injection and the url that you will be able to find easily

I hate the paypal buttons, however, the Blesta button should at least have "Pay Now" or "Pay Here". or something to that effect included. Leave no doubt in the user's mind.

You're probably missing a closing </div> somewhere between the portal and footer.

i have not see your logo , but i have designed another one .
 

 
the plugin is almost done now 95% . now supporting css, js,html,php .

vQmod intercepts any included php files and does this by changing some code in index.php. This is only done when running yoursite.com/vqmod/install so after you have installed vQmod you can remove the write permissions. You will need to make vqmod/vqcache and vqmod/logs writable. No special server config should be neccesary, if php files can already run then that's enough. You may want to read https://github.com/vqmod/vqmod/wiki for some more info.

Only need C if you transmit but do not store.
 
If you want to store card holder data, you do need D, and note that it has all kinds of extra requirements the typical Blesta user does not meet.
Like that your database server must be on a private network, and that the software should only access the database through stored procedures and not be allowed to perform direct queries.

If you are in the US, you might look at e-onlinedata. We're actually partnered with them, see http://e-onlinedata.com/blesta/ for details and costs.

Stripe is secure, safe and amazing.

I don't think any current gateway implementations can allow credit card reuse without storing the data yourself (tokenised storage).
 
You should do some research into the PCI-DSS standard - if you transmit or store credit card data you will be required to fill out a PCI-DSS SAQ D form. Even if you are only redirecting to a third party like PayPal which accepts the credit card details you are still supposed to fill out an SAQ A-EP form but I think most gateways won't require that. Have a read of this document: https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
 
This is a good checklist with all the details of each requirement: https://www.pcisecuritystandards.org/documents/Prioritized_Approach_v3.xlsx

Many of the members here are very talented. Maybe one of them could make this for a price. Use the message system to ask.

The plugin is called by lib/dispatcher.php. I don't think it would be a good idea to modify that file to pass any variables. If you want to set a member variable you can declare it at the top of the class then initialise it within the constructor, optionally setting it's value to that from a config file.
class MyPlugin extends Plugin { private $memberVar; public function __construct() { $this->memberVar = "http://domain.com"; } public function doSomething() { echo $this->memberVar; } }

Anyone using resell.biz to register domain their customer's domain names, and they want to add domain privacy to the order, they can do it by using the "options" feature.
Goto 'packages' 'options'
Create a package group named: Domain Privacy
Create a package option named: Domain Privacy
In the 'Value' box add: purchase-privacy=true
Add the option to your group and save.
 
Finally, update the domain package by adding the Domain Privacy Group under 'configurable options'
Done  
When the customer checks the domain privacy option box during the order process an arrow will show up on the order form under the domain name that is being ordered. It will have the additional price for privacy.

It looks like the correct way to do this is to edit the plugins/order/views/templates/*/config.json and add a new template style.
{ "version": "1.1.0", "name": "AJAX Template Pack", "description": "AJAX order form template pack for the Order plugin.", "authors": [ { "name": "Phillips Data, Inc.", "url": "http://www.blesta.com" } ], "styles": { "slider": { "name": "AJAX Slider", "thumbnail": "images/thumb_slider.png", "screenshot": "images/full_slider.png" }, "boxes": { "name": "AJAX Boxes", "thumbnail": "images/thumb_boxes.png", "screenshot": "images/full_boxes.png" }, "my_custom_style": { "name": "My Custom Style", "thumbnail": "images/thumb_custom.png", "screenshot": "images/full_custom.png" } } }  Then inside the .pdt files you can use
<?php if ($order_form->template_style == "my_custom_style") { ?> <p>My custom HTML</p> <?php } ?> Here's the change you made as a vQmod. It's really easy to learn, best time to start is now 
custom_order_view.xml

I'm talking about expanding that concept.
After the billing plugin is installed more features can be added or taken away. IOW make Blesta run more like Joomla, or Wordpress. It is remarkable how each Wordpress or Joomla site can be made different with the use of seperate plugins that are easily turned on and off, or deleted and added.
Blesta is already superior, but could be made more-so with the use if individual feature plugins. Some of them can be commerical, some for free. They can be community supported or Blesta sponsored.

Or the op works for WHM** or another competitor.. or even more a Zombie because they like biscuits, isn't that a kiddie name? 
 
You are correct but they are stupid:
 
Sucuri:
 

 
InterWorx:
 

 
Nope we don't have a firewall Sucuri.

The OP seems to place 100% faith in 'on-line' web scanners. Many of them don't scan beyond the first page. Plus, their job is to scan for things that they sell. For instance, Sucuri scans every site for a firewall. If it is missing they try to sell it to you. 
To truly discover if a site has an infection or vulnerability use something like 'Fiddler Web debugger'. Fiddler will even decrypt the traffic.
It may be the OP that is the rookie.