L3Y
-
Posts
112 -
Joined
-
Last visited
-
Days Won
2
Posts posted by L3Y
-
-
Hi,
I saw if i change my ip address, then i cannot continue to surf in Blesta : i need to login again.
However, Blesta will still accept a page refresh, even after a change on the ip address of the visitor.
I would suggest to disconnect the user even if the page is simply refreshed - not only on page changes.
Cheers
-
Cody is right. Additionally, you can prevent session hijacking by enabling the "Log Out On IP Address Change" option for your staff group under Settings > System > Staff > Staff Groups Edit. If enabled, staff belonging to the group will be logged out if their IP address changes.
Hi,
I verified on this, and the "Log Out On IP Address Change" feature was enabled when i tested.
If my ip change, i am not logged off from Blesta
Why this feature doesn't work?
-
Cody is right. Additionally, you can prevent session hijacking by enabling the "Log Out On IP Address Change" option for your staff group under Settings > System > Staff > Staff Groups Edit. If enabled, staff belonging to the group will be logged out if their IP address changes.
Thank you for this clarification. I always thought this line was related in some ways with the cookie itself, probably because it start with an underscore : (_). I have learned something new, thank you for this.
I've updated my first post to avoid confusion with your other customers who may read this post.
However, due to the debug tag, i am still worried about mitm : http://www.blesta.com/forums/index.php?/topic/4533-debug-tag-added-by-default-in-the-universal-module/
Is there any way i can disable this tag in Blesta? I tried to search in the code, but i cannot find the related function. Where is it exactly?
...and also because it make use of some features who allow a third party to know what are the customer's and admin's ip addresses, and i did not saw any way to disable this in the admin (should you don't want this, removing it in the code is easy, however).
Also : what about a feature that would allow customers, and admins to restrict their account access to only one (or more) ip addresses? Should be a goody workaround for eventual problems on this. I am aware we can protect the admin, and the api this way, but what about the customer side? So the same security we get in the admin should be available to our customers, no?
Thank you
-
Blesta allows admin logins time out if the ip changes which is more important. I don't do cookies so can't comment on that.
I tried to login to a client account while i was loggued as an admin, then i changed my ip address, and i've never been loggued out.
Therefore this function should also apply to the client area,
As far as i can see, there are ways to mitigate this problem. However, this is not the same as an improvement on session management in Blesta.
Secure cookie management is also a requirement for PCI Compliance : http://blog.elementps.com/element_payment_solutions/2013/12/new-pci-dss-session-management-requirements-.html
Can we achieve real PCI Compliance with Blesta?
Thank you
...and don't think i am saying here Blesta is not good compared with other : i saw similar stuff on other billing systems also. However, i expect more from Blesta than the others, just because it comes from peoples who are trying to produce a better code base than any other billing solution. -
Hi,
While working on our Blesta, i saw when a user log in, there is a session cookie created with csrf_token.
It looks like this : Cookie: COOKIENAME_cookie=fd3ukp7hf6757hhjsdfkj6
_csrf_token=98a19b5599909cd47f55619f484a42b1828771674264f85f952c6360a1f&username=email%40hotmail.com&password=MY_PASSWORD_HERE;}While i do realize this can be secure, in certain conditions, and there might be some very good reasons for this behaviour in Blesta, well.... ....let's say my ip is changing while i am logged into Blesta : it doesn't log me out!
I want PCI Compliance with Blesta, as much as possible. Someone can clarify on this?
Thank you
-
in my opinion your site need to be public in the Internet, if not it will not work properly (license check, ssl, gateway postback, etc...)
Blesta should work fine as long as the IP isn't changing.
i am simply unable to validate the license if the vm is isolated We can still browse the website from everywhere, and everything else is also working.
Am i missing something?
Thank you,
Carl
-
Hi,
I am having trouble leaving Blesta isolated in a Vlan.
If i disable the eth0 card, then i need to update the license very frequently, if Blesta is using only the NAT ip address and forward the requests to a gateway.
Everything else is working as i want, except for this.
Possible for someone at to provide some advises on how others are doing? Does Blesta license system require the instalallation to run on a public ip address?
Thank you
-
Hi PauloV,
Thank you for the new version, however, there still seems to be missing validations...
I see a lot of things like this one :
$callArray[$contactType]["address1"] = $this->osrs_normalize_special_characters($client->address1);$callArray[$contactType]["address2"] = $this->osrs_normalize_special_characters($client->address2);$callArray[$contactType]["address3"] = "";$callArray[$contactType]["city"] = $client->city;$callArray[$contactType]["state"] = $client->city;$callArray[$contactType]["postal_code"] = $client->zip;$callArray[$contactType]["country"] = $client->country;$callArray[$contactType]["email"] = $client->email;$callArray[$contactType]["phone"] = $this->formatPhone(isset ($numbers[0]) ? $numbers[0]->number : null, $client->country);$callArray[$contactType]["fax"] = "";$callArray[$contactType]["url"] = "";$callArray[$contactType]["lang_pref"] = "EN";You sanitize with pregmatch in the function "osrs_normalize_special_characters" only address1 and address2, but not address3, and all other fields will send whatever you type.The module do not seems to validate what's sent to the opensrs API.The validateConnection should be private, since it work as private, and not required to be public. There is a couple other functions like this.I would strongly suggest to review the module before using it.I did not verified to see if the domain lock functions got improved, so the customers can see if yes or no a domain is locked or unlocked, but i may check on this within the next few days and get back if there is still a problem...
Cheers,
Carl -
Hi,
.ca domains must match CIRA requirements.
Here they are :
Province must be 2 letters : QC, MB, ON, etc...
Postal code cannot have a space, eg. : H0H0H0
You cannot use accents (é,à,ù, etc.. anywhere) Even if the customer name have an accent, do not use it, cause it will never work
No dashes, no special characters should be used in the different fields.If a business name is entered, then the customer must choose the "Corporate" contract type. This will only work if the business is a .inc or .enr. under the same name in the business registry.
If the business is under an individual name - if it is NOT a .enr or .inc then the customer must choose "Canadian Citizen" or "Permanent Resident" (but who cares?
)Hope that help
Carl
-
Hi,
Thank you for taking time to reply to my comment on your module. It work very well, so i think it's time to go a step further
I do not want to seems to push too much on this, but there seems to be peoples using your module. If it's in a beta stage, then most peoples can assume it's a candidate release, so it should be fine to use with minimum modification. Not everyone will know you did not added all required validations to your work, and most peoples won't think their domains are unlocked.
Keep up the good work
Thank you Thanks for finding the bugs, I will try to fic it ASAP
The litle time I have to develop the free modules like OpenSRS, sometimes I try to implement in the Quickiest Way just to make it work for now, of course all the code have to be revised in the end and polish all to work as we all aspected
Also OpenSRS tecnitions are helping me, and they will revise all code in the end and advise on things that I have to do to be approved oficially by OpenSRS (TwoCows)
-
Hi,
Does Maxmind is still working? Cause i see they sent us an email saying they were going to stop delivering services. We got this email just before we switched to Blesta.
Each time i have an order, if maxmind is enabled then we get an error like this one : http://www.blesta.com/forums/index.php?/topic/1117-order-can-not-be-processed/
I am still having this error even if i use the default parameters :
- Minimum Score to Reject: 80
- Minimum Score to Review: 10
- Free Email: Review
- Country Mismatch: Review
- Risky Country: Reject
- Anonymous Proxy: Reject
If i disable maxmind, then i do not see any problem.
Why am i still seeing this error even with the default?
Also : is there any way to still receive orders even if they do not pass the fraud check? I do not want customers to see this error if the fraud check do not work for them. ...cause even if there is a fraud as per maxmind, sometimes it's not. (for example if the web developer lives in Europe, while the customer is living in USA - should the web developer place an order under the name and address of he's client, then we won't see it!)
Thank you,
Carl
-
Hi,
For prosperity, here is how you can display a list of all TLD's through the API in a table...
echo "<table>"; if (($packages = $response->response())) { foreach ($packages as $package) { echo "<tr>"; $pricingsArray=($package->pricing); foreach ($pricingsArray as $pricing) { $priceArray = ($pricing->price); echo "<td>". $priceArray . "</td>"; } } } echo "</table>";Thank you for your help on this
I was simply missing another loop
-
Hi,
At Maxmind, i see we have a user ID and a License key.
...but Blesta only ask for a License Key.
I am having an issue with orders when Maxmind is enabled. Is it possible that's because the UserID field is missing?
Thank you,
Carl
-
I would suggest to add hourly billing for all products
not only to vps -
Yup
A domain name should be considered as a different kind of service.
It should be easy to list customer's domain alone, while it's not right now.
I would invite Blesta dev's to take a look at the views feature in Drupal : https://www.drupal.org/node/1912118
This is great because if you want to list, or display something on some page, then you can do it very quick, and it's a great, powerfull feature of Drupal (the main reason i like it
normally blesta should add a filter box , to search record from the table or database . we have this issue with some clients . clients has more than 50 services , and we need to load pages and select the service to manage it .
a better way is to add a search box in the header table to search for a given value , and return just the services matching the value .
-
...and ICANN require us to display a list of our current tld pricing. Why this list doesn't show up in Blesta, in order to help us to comply with the ICANN terms and conditions?
I think ICANN policies should be followed the same as you would follow security best practices while programming : we can't live without.
-
Yup : it's true.
It's hard to manage domains, and customers are all completely lost in the product list, should they have more than (let's say) 10 domains / services.
It's all mixed together, and hard to separate domains and the other products using the existing functions.
Also, the industry require different pricing for registration, renewal and transfer. I understand we can use a coupon code, but what if we want our regular price to be lower at registration?
It must allow us to invoice the way we want
-
Hi,
We were offering free Whois protection to our customers.
Therefore, after our migration to Blesta, we have tons of customers with this option enabled.
If they request an EPP code, the transfer do not work if the whois protection is enabled.
Is there any chance for Blesta dev's to add whois privacy management to the domain modules?
Thank you
Carl
-
Hi,
Possible there is missing validations on user input? I am not yet an expert in object oriented programing, but it seems like the different forms make it possible to submit whatever you want to the Tucows API. I understand it return errors if the input is not valide, but is this really the best way to go?
I mean, for example, the $ns variables, and the $callArray[$contactType].
Also, there seems to be a bug on the ClientSettings page. It doesn't grab the current status before showing the fieldRadio's. As a result, a customer will alway's see he's domain as locked, while it is unlocked.
After a couple of months/years, i imagine many customers will have unlocked domains, while their domain show up as locked...
Thank you,
Carl
-
Ok.
I found why.
This code :
<a href="#" class="btn_right submit"><?php $this->_("AdminMain.index.field_ordersubmit");?></a> <?php $this->Form->fieldSelect("status", $this->Html->ifSet($statuses), $this->Html->ifSet($vars->status), array('id' => "order_status")); $this->Form->label($this->_("AdminMain.index.field_markas", true), "order_status"); ?>...it just don't seems to be at the correct place to show up, or i may have a css issue?Anyhow, by moving it, and removing the id, then i work
-
Hi,
I am having the same issue, but if i go to Billing > Manage Widgets > Order widget, then i do not see any "activate" button, even if i check the box.
In fact i see no button at all
I enabled the function "Language.allow_pass_through", just to see how it goes, and it seems like it's not related to our translation files.
Please see the attached screenshot.
Thank you,
Carl
-
Hi
On my side, i've added those infos right below the place where you can change the cPanel password in the clientarea.
...and i also added the same infos in the service tab's list for hosting packages. See attachment for an example.
This just took 5-10 minutes of work to do, and we get much less requests of this kind
I prefer to see our customers login to Blesta instead of getting those infos by email. ...cause they barely never change their passwords, unless the system ask for it, and even if they got the email, they won't know more where they need to go to change their password.
Question : does Blesta will implement SSO with cPanel? Seems like this could be another alternative to help customers to remember how to login...
-
Hi,
I remember i saw an option somewhere to round up pricing.
However, i no longer remember where it was, and i do not think i changed this, cause it's not on my changelog.
Possible for you to tell me where it is, so i can check?
Thank you,
Carl
-
Hi,
Seems like sometimes, 1+1=4 for Blesta
Here is what i got on an automated invoice :
Sub Total: $39.00CAD CADTPS (5.0000%) $1.95CAD CADTVQ (9.9700%) $3.89CAD CADTotal : $45.00CAD CAD(please see attachment to confirm via a screenshot).Why does Blesta think 39$+ 1.95$ + 3.89$ = 45$??**Past invoices, before the version 3.5.1 (i.e. 3.5.0 and below) were fine. The total was $44.84CAD (Please note if Canadian taxes were cascading before (tvq was level 2), this is no longer a requirement)Thank you for any help on this
Carl
Allow Customers To Restrict Access By Ip To Their Account
in Feature Requests
Posted
Hi,
I would like our customers to be able to restrict access to their account on a per ip basis.
I know some customers who would really enjoy such feature.
For admin, restrictions at the server level are more than fine, but having the option to restrict their account would just be a very good value added to Blesta.
So then peoples will prob. stop being affraid about possibe mitm
(or maybe much less worried) - ..it's already a hard thing to MITM, it would be just more difficult with such feature.
I see Blesta did great things on XSS and injection prevention. I think such improvement will be an additional reason for going to Blesta, rather than any other billing solution.
Cheers