EuroDomenii Posted April 8, 2019 Report Posted April 8, 2019 I don’t dispute that Blesta isn’t secured by design ( “But Blesta seems to be more secure and a nice and clean software”. http://www.webhostingtalk.com/showthread.php?t=1544179) But every application, with authenticated users, could be vulnerable, at some point, to a Cross-Site Request Forgery (CSRF) or Cross-site Scripting (XSS). The main idea of the workaround is to not store the full passwords of the modules ( registrar modules, hosting modules -Proxmox, Vultr etc), but instead store it into a third party proxy api gateway, https://konghq.com/, setup on your own server. The proxy api gateway will transform only the initial request for an authenticated token, then all the request will be forwarded unchanged. How is this different from an attacker grabbing the full password from blesta module? We can implement rate limiting at proxy level, and validate only allowed api calls ( for example deny delete requests). We’ve posted a more detailed explanation here https://forum.proxmox.com/threads/securing-third-party-application-proxmox-integration-with-proxy-api-gateway.47091/ Thank you! Quote
domaingood Posted April 8, 2019 Report Posted April 8, 2019 From the source docs, you may be able to use this for client login http://source-docs.blesta.com/class-ClientLogin.html API docs https://docs.blesta.com/display/dev/API Take a look at Users::auth. Thank you Quote
Fartuh Posted July 28, 2021 Report Posted July 28, 2021 I use VPN for Kodi, and this solution is also suitable for managing Belst's admin panel. This provides an additional degree of protection. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.