Jump to content


  • Content Count

  • Joined

  • Last visited

About EuroDomenii

  • Rank

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
  1. I don’t dispute that Blesta isn’t secured by design ( “But Blesta seems to be more secure and a nice and clean software”. http://www.webhostingtalk.com/showthread.php?t=1544179) But every application, with authenticated users, could be vulnerable, at some point, to a Cross-Site Request Forgery (CSRF) or Cross-site Scripting (XSS). The main idea of the workaround is to not store the full passwords of the modules ( registrar modules, hosting modules -Proxmox, Vultr etc), but instead store it into a third party proxy api gateway, https://konghq.com/, setup on your own server. The proxy api gateway will transform only the initial request for an authenticated token, then all the request will be forwarded unchanged. How is this different from an attacker grabbing the full password from blesta module? We can implement rate limiting at proxy level, and validate only allowed api calls ( for example deny delete requests). We’ve posted a more detailed explanation here https://forum.proxmox.com/threads/securing-third-party-application-proxmox-integration-with-proxy-api-gateway.47091/ Thank you!
  2. Every ccTLD, with EPP suppport ,might need further custom adjustments. I guess they aren't encoded files in your module, since is based on https://github.com/AfriCC/php-epp2, under GPL3.0 license
  • Create New...