EuroDomenii Posted April 8, 2019 Report Posted April 8, 2019 I don’t dispute that Blesta isn’t secured by design ( “But Blesta seems to be more secure and a nice and clean software”. http://www.webhostingtalk.com/showthread.php?t=1544179) But every application, with authenticated users, could be vulnerable, at some point, to a Cross-Site Request Forgery (CSRF) or Cross-site Scripting (XSS). The main idea of the workaround is to not store the full passwords of the modules ( registrar modules, hosting modules -Proxmox, Vultr etc), but instead store it into a third party proxy api gateway, https://konghq.com/, setup on your own server. The proxy api gateway will transform only the initial request for an authenticated token, then all the request will be forwarded unchanged. How is this different from an attacker grabbing the full password from blesta module? We can implement rate limiting at proxy level, and validate only allowed api calls ( for example deny delete requests). We’ve posted a more detailed explanation here https://forum.proxmox.com/threads/securing-third-party-application-proxmox-integration-with-proxy-api-gateway.47091/ Thank you!
domaingood Posted April 8, 2019 Report Posted April 8, 2019 From the source docs, you may be able to use this for client login http://source-docs.blesta.com/class-ClientLogin.html API docs https://docs.blesta.com/display/dev/API Take a look at Users::auth. Thank you
Fartuh Posted July 28, 2021 Report Posted July 28, 2021 I use VPN for Kodi, and this solution is also suitable for managing Belst's admin panel. This provides an additional degree of protection.
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now