L3Y

Hi, I would like our customers to be able to restrict access to their account on a per ip basis. I know some customers who would really enjoy such feature. For admin, restrictions at the server level are more than fine, but having the option to restrict their account would just be a very good value added to Blesta. So then peoples will prob. stop being affraid about possibe mitm (or maybe much less worried) - ..it's already a hard thing to MITM, it would be just more difficult with such feature. I see Blesta did great things on XSS and injection prevention. I think such improvement will be an additional reason for going to Blesta, rather than any other billing solution. Cheers

Hi, I saw if i change my ip address, then i cannot continue to surf in Blesta : i need to login again. However, Blesta will still accept a page refresh, even after a change on the ip address of the visitor. I would suggest to disconnect the user even if the page is simply refreshed - not only on page changes. Cheers

Hi, I verified on this, and the "Log Out On IP Address Change" feature was enabled when i tested. If my ip change, i am not logged off from Blesta Why this feature doesn't work?

Thank you for this clarification. I always thought this line was related in some ways with the cookie itself, probably because it start with an underscore : (_). I have learned something new, thank you for this. I've updated my first post to avoid confusion with your other customers who may read this post. However, due to the debug tag, i am still worried about mitm : http://www.blesta.com/forums/index.php?/topic/4533-debug-tag-added-by-default-in-the-universal-module/ Is there any way i can disable this tag in Blesta? I tried to search in the code, but i cannot find the related function. Where is it exactly? ...and also because it make use of some features who allow a third party to know what are the customer's and admin's ip addresses, and i did not saw any way to disable this in the admin (should you don't want this, removing it in the code is easy, however). Also : what about a feature that would allow customers, and admins to restrict their account access to only one (or more) ip addresses? Should be a goody workaround for eventual problems on this. I am aware we can protect the admin, and the api this way, but what about the customer side? So the same security we get in the admin should be available to our customers, no? Thank you

I tried to login to a client account while i was loggued as an admin, then i changed my ip address, and i've never been loggued out. Therefore this function should also apply to the client area, As far as i can see, there are ways to mitigate this problem. However, this is not the same as an improvement on session management in Blesta. Secure cookie management is also a requirement for PCI Compliance : http://blog.elementps.com/element_payment_solutions/2013/12/new-pci-dss-session-management-requirements-.html Can we achieve real PCI Compliance with Blesta? Thank you ...and don't think i am saying here Blesta is not good compared with other : i saw similar stuff on other billing systems also. However, i expect more from Blesta than the others, just because it comes from peoples who are trying to produce a better code base than any other billing solution.

Hi, While working on our Blesta, i saw when a user log in, there is a session cookie created with csrf_token. It looks like this : Cookie: COOKIENAME_cookie=fd3ukp7hf6757hhjsdfkj6 _csrf_token=98a19b5599909cd47f55619f484a42b1828771674264f85f952c6360a1f&username=email%40hotmail.com&password=MY_PASSWORD_HERE;} While i do realize this can be secure, in certain conditions, and there might be some very good reasons for this behaviour in Blesta, well.... ....let's say my ip is changing while i am logged into Blesta : it doesn't log me out! I want PCI Compliance with Blesta, as much as possible. Someone can clarify on this? Thank you

i am simply unable to validate the license if the vm is isolated We can still browse the website from everywhere, and everything else is also working. Am i missing something? Thank you, Carl

Hi, I am having trouble leaving Blesta isolated in a Vlan. If i disable the eth0 card, then i need to update the license very frequently, if Blesta is using only the NAT ip address and forward the requests to a gateway. Everything else is working as i want, except for this. Possible for someone at to provide some advises on how others are doing? Does Blesta license system require the instalallation to run on a public ip address? Thank you

Hi PauloV, Thank you for the new version, however, there still seems to be missing validations... I see a lot of things like this one : $callArray[$contactType]["address1"] = $this->osrs_normalize_special_characters($client->address1); $callArray[$contactType]["address2"] = $this->osrs_normalize_special_characters($client->address2); $callArray[$contactType]["address3"] = ""; $callArray[$contactType]["city"] = $client->city; $callArray[$contactType]["state"] = $client->city; $callArray[$contactType]["postal_code"] = $client->zip; $callArray[$contactType]["country"] = $client->country; $callArray[$contactType]["email"] = $client->email; $callArray[$contactType]["phone"] = $this->formatPhone(isset ($numbers[0]) ? $numbers[0]->number : null, $client->country); $callArray[$contactType]["fax"] = ""; $callArray[$contactType]["url"] = ""; $callArray[$contactType]["lang_pref"] = "EN"; You sanitize with pregmatch in the function "osrs_normalize_special_characters" only address1 and address2, but not address3, and all other fields will send whatever you type. The module do not seems to validate what's sent to the opensrs API. The validateConnection should be private, since it work as private, and not required to be public. There is a couple other functions like this. I would strongly suggest to review the module before using it. I did not verified to see if the domain lock functions got improved, so the customers can see if yes or no a domain is locked or unlocked, but i may check on this within the next few days and get back if there is still a problem... Cheers, Carl

Hi, .ca domains must match CIRA requirements. Here they are : Province must be 2 letters : QC, MB, ON, etc... Postal code cannot have a space, eg. : H0H0H0 You cannot use accents (é,à,ù, etc.. anywhere) Even if the customer name have an accent, do not use it, cause it will never work No dashes, no special characters should be used in the different fields. If a business name is entered, then the customer must choose the "Corporate" contract type. This will only work if the business is a .inc or .enr. under the same name in the business registry. If the business is under an individual name - if it is NOT a .enr or .inc then the customer must choose "Canadian Citizen" or "Permanent Resident" (but who cares? ) Hope that help Carl

Hi, Thank you for taking time to reply to my comment on your module. It work very well, so i think it's time to go a step further I do not want to seems to push too much on this, but there seems to be peoples using your module. If it's in a beta stage, then most peoples can assume it's a candidate release, so it should be fine to use with minimum modification. Not everyone will know you did not added all required validations to your work, and most peoples won't think their domains are unlocked. Keep up the good work Thank you

Hi, Does Maxmind is still working? Cause i see they sent us an email saying they were going to stop delivering services. We got this email just before we switched to Blesta. Each time i have an order, if maxmind is enabled then we get an error like this one : http://www.blesta.com/forums/index.php?/topic/1117-order-can-not-be-processed/ I am still having this error even if i use the default parameters : Minimum Score to Reject: 80 Minimum Score to Review: 10 Free Email: Review Country Mismatch: Review Risky Country: Reject Anonymous Proxy: Reject If i disable maxmind, then i do not see any problem. Why am i still seeing this error even with the default? Also : is there any way to still receive orders even if they do not pass the fraud check? I do not want customers to see this error if the fraud check do not work for them. ...cause even if there is a fraud as per maxmind, sometimes it's not. (for example if the web developer lives in Europe, while the customer is living in USA - should the web developer place an order under the name and address of he's client, then we won't see it!) Thank you, Carl

Hi, For prosperity, here is how you can display a list of all TLD's through the API in a table... echo "<table>"; if (($packages = $response->response())) { foreach ($packages as $package) { echo "<tr>"; $pricingsArray=($package->pricing); foreach ($pricingsArray as $pricing) { $priceArray = ($pricing->price); echo "<td>". $priceArray . "</td>"; } } } echo "</table>"; Thank you for your help on this I was simply missing another loop

Hi, At Maxmind, i see we have a user ID and a License key. ...but Blesta only ask for a License Key. I am having an issue with orders when Maxmind is enabled. Is it possible that's because the UserID field is missing? Thank you, Carl

I would suggest to add hourly billing for all products not only to vps