Cody

Just got my paws on a hostbill installation. I haven't spent but a couple minutes with it, but oh my.... exploit, exploit, exploit.

We'll be releasing an update soon, with additional features a fixes. Didn't have time to build it today.

We'll be releasing an update soon, with additional features a fixes. Didn't have time to build it today.

Closing as not a bug. If OP, or anyone else for that matter, can provide steps to duplicate please open a new thread for discussion.

Well, technically it is your side, since your data isn't formatted exactly as our test data.

You can move just about everything outside of the public directory, with the proper code changes. We only recommend having the uploads and temp directories above the publically accessible directory at this time, however.
 
Spend time with my family, contribute to open source projects, and play video games. I'm in the middle of The Last of Us right now.
 
Absolutely not, though you may need to have support and updates in order to upgrade depending on your license type.
 
You're welcome.

Licenses are linked to install path, domain, and IP address. We can enabled multiple IPs and domains per install, though this is typically only done for multi-company licenses but there may be something we can do to acomodate you.
 
Only what's necessary to protect licensing.
 
By lifetime are you referring to our lifetime owned license? That license includes support and updates for life, so there's no need to purchase anything else to receive support and updates.
Owned licenses include 1 year of support and updates, after which you may optionally purchase support and updates on a yearly basis.
 
Releases follow semantic versioning, and patch releases are always free. As an example, if you are running 3.0.0 and we release 3.1.0 but you are not current with your support and updates at the time of that release you may upgrade to any 3.0.x release, but you will need support and updates to upgrade to the 3.1 minor release.
 
You can install Blesta anywhere you'd like.
 
You can certainly do that if you're comfortable with a little PHP. Or you can create static HTML pages that simply link to pages within the Blesta order form.
 
A number of users are currently running Blesta on nginx. Kudos to cloudrck.
 
Security is by far our top priority, so we make a strong effort to releases security patches as fast as possible. The average turn around time varies depending on the severity of the issue, but can range between a few hours to about a week.

Please note that the latest version of this migrator is included with the latest release of Blesta.
 
 
Instructions
BACK UP YOUR BLESTA DATABASE If you are not running import manager plugin version 1.0.3 download import_manager_1.0.3.zip and unzip to /plugins/ Unzip the contents of whmcs_migrator_b8.zip to /plugins/import_manager/components/migrators/ You should now have /plugins/import_manager/components/migrators/whmcs/ Go to [settings] > [Company] > [Plugins] and install the Import Manager Click the Manage button on the Import Manager and proceed through the steps The migration process may take a while. It imports A LOT of stuff.  
Data Imported
Staff (including login passwords) Client Groups Clients (excluding login passwords) Credit Card Payment Accounts Custom Client Fields and Values Client Notes Contacts Tax Rules Currencies Invoices Recurring Invoices Transactions (partial refunds refund the original and create a new transaction for the difference) Client Credits Invoice Credits Support Departments Support Tickets (excluding attachments) Support Predefined Response Categories Support Predefined Responses Sent Emails The following Settings: Mail Delivery Type SMTP Host, User, Password, Port, and Security Type Invoice Days Before Renewal Invoice Reminder Settings Auto Debit Days Before Due Suspend Services After Due Calendar Events Products (become packages) Registrars (become modules/module rows) Servers (become modules/module rows) Services Domains (become services) Notes
All custom pricing overrides will be imported as package pricing potentially creating multiple prices for the same term and currency WHMCS uses plain MD5 passwords for admin users. To enable support for these passwords update (/config/blesta.php) Configure::set("Blesta.auth_legacy_passwords", false); to
Configure::set("Blesta.auth_legacy_passwords", true); What's new in b6
Added debugging option. Added check for gmp extension. Added support for refunds. Import refunded invoices as void.  
What's new in b7
Only sets quantity for package if stock conrtrol enabled Extracts all numberic values from ticket ID to better ensure ticket numbers come through  
What's new in b8
Introduced transactions for deferred commits (speed improvements) Now forces UTF-8 connection to WHMCS database to ensure special characters come through import_manager_1.0.3.zip
whmcs_migrator_b3.zip
whmcs_migrator_b4.zip
whmcs_migrator_b5.zip
whmcs_migrator_b6.zip
whmcs_migrator_b7.zip
whmcs_migrator_b8.zip

Change line 536 of whmcs_migrator.php...
 
from:
 
   
to:
 
          if (!isset($this->mappings['recurring_invoices']))             return;

Please note that the latest version of this migrator is included with the latest release of Blesta.
 
 
Instructions
BACK UP YOUR BLESTA DATABASE If you are not running import manager plugin version 1.0.3 download import_manager_1.0.3.zip and unzip to /plugins/ Unzip the contents of whmcs_migrator_b8.zip to /plugins/import_manager/components/migrators/ You should now have /plugins/import_manager/components/migrators/whmcs/ Go to [settings] > [Company] > [Plugins] and install the Import Manager Click the Manage button on the Import Manager and proceed through the steps The migration process may take a while. It imports A LOT of stuff.  
Data Imported
Staff (including login passwords) Client Groups Clients (excluding login passwords) Credit Card Payment Accounts Custom Client Fields and Values Client Notes Contacts Tax Rules Currencies Invoices Recurring Invoices Transactions (partial refunds refund the original and create a new transaction for the difference) Client Credits Invoice Credits Support Departments Support Tickets (excluding attachments) Support Predefined Response Categories Support Predefined Responses Sent Emails The following Settings: Mail Delivery Type SMTP Host, User, Password, Port, and Security Type Invoice Days Before Renewal Invoice Reminder Settings Auto Debit Days Before Due Suspend Services After Due Calendar Events Products (become packages) Registrars (become modules/module rows) Servers (become modules/module rows) Services Domains (become services) Notes
All custom pricing overrides will be imported as package pricing potentially creating multiple prices for the same term and currency WHMCS uses plain MD5 passwords for admin users. To enable support for these passwords update (/config/blesta.php) Configure::set("Blesta.auth_legacy_passwords", false); to
Configure::set("Blesta.auth_legacy_passwords", true); What's new in b6
Added debugging option. Added check for gmp extension. Added support for refunds. Import refunded invoices as void.  
What's new in b7
Only sets quantity for package if stock conrtrol enabled Extracts all numberic values from ticket ID to better ensure ticket numbers come through  
What's new in b8
Introduced transactions for deferred commits (speed improvements) Now forces UTF-8 connection to WHMCS database to ensure special characters come through import_manager_1.0.3.zip
whmcs_migrator_b3.zip
whmcs_migrator_b4.zip
whmcs_migrator_b5.zip
whmcs_migrator_b6.zip
whmcs_migrator_b7.zip
whmcs_migrator_b8.zip

That's actually the expected behavior. The version number displayed in the footer is the version of the files. There's a separate version number for the database schema, and they're not always in sync.
 
 
However, you do raise a good point. In the future we may want to automatically direct to the upgrade screen if/when an upgrade is possible.

Indeed it is.

Might have something to test out this Friday.

Might have something to test out this Friday.

Version 3.0.2 is now available. You can download it at https://account.blest...er/client_main/.

This is a patch release that corrects issues with 3.0.0.

Patching Blesta

See Patching Blesta in the User Manual for instructions.

Release Notes - Blesta Core - Version 3.0.2
## Version 3.0.2 2013-09-03 ### Bug * [CORE-622] - Plesk: Add login link to automatically login to the Plesk account * [CORE-692] - Missing payment confirmation page when a client pays through a non-merchant gateway without authenticating * [CORE-694] - Undefined index if reset password string fails to decrypt * [CORE-696] - Exclusive coupons are not limited to applying to their assigned packages * [CORE-698] - The payment_url tag in email templates does not include the path that Blesta is installed under * [CORE-699] - The client_url tag in email templates does not include the path that Blesta is installed under * [CORE-704] - "Return to Portal" link appears when portal is not installed * [CORE-707] - Edit invoice does not convert line item to textarea after hitting enter * [CORE-709] - Cannot checkout with an order of $0 in the cart * [CORE-713] - Automatic provisioning of pending services fails to call addService() on the module * [CORE-714] - Universal Module: Configure label shows a numerical ID instead of the product name during checkout * [CORE-715] - Order Plugin: Inactive and Restricted packages appear normally on order pages * [CORE-716] - CLI execution can not properly determine installed URI * [CORE-719] - Redirect loop when clients try to add payment accounts * [CORE-722] - Order: "Allow Coupons" option does not prevent coupons from being accepted on order form ---

Version 3.0.2 is now available. You can download it at https://account.blest...er/client_main/.

This is a patch release that corrects issues with 3.0.0.

Patching Blesta

See Patching Blesta in the User Manual for instructions.

Release Notes - Blesta Core - Version 3.0.2
## Version 3.0.2 2013-09-03 ### Bug * [CORE-622] - Plesk: Add login link to automatically login to the Plesk account * [CORE-692] - Missing payment confirmation page when a client pays through a non-merchant gateway without authenticating * [CORE-694] - Undefined index if reset password string fails to decrypt * [CORE-696] - Exclusive coupons are not limited to applying to their assigned packages * [CORE-698] - The payment_url tag in email templates does not include the path that Blesta is installed under * [CORE-699] - The client_url tag in email templates does not include the path that Blesta is installed under * [CORE-704] - "Return to Portal" link appears when portal is not installed * [CORE-707] - Edit invoice does not convert line item to textarea after hitting enter * [CORE-709] - Cannot checkout with an order of $0 in the cart * [CORE-713] - Automatic provisioning of pending services fails to call addService() on the module * [CORE-714] - Universal Module: Configure label shows a numerical ID instead of the product name during checkout * [CORE-715] - Order Plugin: Inactive and Restricted packages appear normally on order pages * [CORE-716] - CLI execution can not properly determine installed URI * [CORE-719] - Redirect loop when clients try to add payment accounts * [CORE-722] - Order: "Allow Coupons" option does not prevent coupons from being accepted on order form ---

CORE-696 and CORE-722 (allowing coupons when not enabled) are fixed for 3.0.2.

CORE-709 fixed in 3.0.2.
 
To patch yourself, update /plugins/order/views/templates/standard/main_checkout.pdt:
 
change (line 38):
 
                    $this->Form->create();  
to
 
                    $this->Form->create();                     $this->Form->fieldHidden("checkout", "true");

CORE-696 and CORE-722 (allowing coupons when not enabled) are fixed for 3.0.2.

Ok, so turns out this is only reproducible if you disable one of the two Accepted Payment Types in [settings] > [Company] > [billing/Payment] > [Accepted Payment Types].
 
CORE-719 fixed for 3.0.2.
 
To patch yourself update client_accounts.php (line 192):
 
 
        elseif (count($valid_account_types) == 1)  
 
to
 
 
        elseif ($step == 1 && count($valid_account_types) == 1)  

Disable ONLY_FULL_GROUP_BY.

Good to see, based on the poll, that our users are overwhelmingly ethical.

The imported services won't have the customer-id that logicboxes requires in order to pull domain info. So that's explains why that's not in there. I'm pretty sure we have a task for adding the ability to specify the customer-id in the edit service page to allow services that have already been provisioned outside of Blesta v3 to be properly linked through logicboxes.
 
 
Check your module log to see why you receive this error. That's the first major step in determining whether this is an issue with your logicboxes (et. al.) account or with the module itself.

That's how it's done today.

We're working on getting an importer working for a certain billing solution, so with the intent of adding data into the system I reluctantly log in. I get about two clicks in when suddenly, my pupils dilate, my palms get sweaty, and I begin to salivate uncontrolably. I've only been logged in for a few brief moments and already I've stumbled upon an exploit.

I'm thinking, "Okay, that was easy." But I've got work to do. We need to get some test data in there so we can verify the importer. Click, click... vulnerability. Click, vulnerability, click, click, vulnerability, vulnerability, vulnerability. Seriously?
 
A few hours of inputing data and I've discovered more than a dozen vulnerabilities, without looking. No doubt there are many more. They range from mildly amuzing, to "OH $*&! Restore backup!".
 
How do you think we should handle this situation?*
 
 
*Obviously we'll be disclosing these vulnerabilities to the proper channels... in due time.