timnboys Posted September 12, 2016 Report Share Posted September 12, 2016 CubeData is proud to announce we have made a vultr provisioning module for blesta The cost is $7.00 per month for monthly license $100 for owned license with optional $25/year support/upgrades renewal if you want support/upgrades for the module(if you don't renew this you just will not get any support/upgrades/patches/etc for your module) Screenshots of the module: Order Links: https://cubedata.net/vultr Also this module has been independently reviewed by a security researcher. ariq01, PauloV, jobplease and 2 others 5 Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 12, 2016 Report Share Posted September 12, 2016 I'm very big on UI. I've had every plugin currently in use for Blesta custom themed to fit my blesta install. Is there a way to do this with your encoded module? And when I talk modification, it's not just colours - it's placement, looks, amount of clicks to do X and Y. Also, what are the current features for the module? Can it load a custom snapshot from Vultr? I have a few there with custom init scripts to simplify setup and clustering. Will it support hourly billing eventually? How is the security of this module? Has it been peer-reviewed, or reviewed by a third party? I'm interested in this one. Just need to know a bit more about it before plunking down the recurring cash for it. Edit : Is there a way for this module to get the ip data back from vultr, and send it to another module (let's say a monitoring module)? Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 12, 2016 Author Report Share Posted September 12, 2016 On 9/12/2016 at 5:14 PM, AnthonyL said: I'm very big on UI. I've had every plugin currently in use for Blesta custom themed to fit my blesta install. Is there a way to do this with your encoded module? And when I talk modification, it's not just colours - it's placement, looks, amount of clicks to do X and Y. Also, what are the current features for the module? Can it load a custom snapshot from Vultr? I have a few there with custom init scripts to simplify setup and clustering. Will it support hourly billing eventually? How is the security of this module? Has it been peer-reviewed, or reviewed by a third party? I'm interested in this one. Just need to know a bit more about it before plunking down the recurring cash for it. 1. it isn't like it doesn't use blesta's UI lol Though I am not exactly sure how you would "theme" this considering it's a module it has no custom UI it uses blesta's UI that you have on your install. 2. The current features of it since this is just the first release is the usual provisioning functions though I do know I could implement init scripts quick though since the API library I am using to talk to vultr supports provisioning with custom init scripts and it also supports loading a "vm" with a custom snapshot as well 3. Yes as soon as I figure out how to implement hourly billing since I don't have a clue yet how to do this yet. 4. Audit done see report later in the thread. Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 12, 2016 Report Share Posted September 12, 2016 Thanks for the info 1 - I'll have to look into this more. Currently, a module like cPanel Extended was modified and the entire thing looks different than it does stock. No icons, etc. - Is this the same with yours? Sorry, I'm just not 100% sure how it would match Blesta is all. There has to be an interface the customer uses, right? 2 - Good to know. 3 - Great 4 - Honestly... yes. If I'm going to trust a module that accesses the Vultr account that has access to all vm's, and it has the capability to terminate/suspend/create.. that's a huge, huge huge issue of trust. I need to know there are no obvious holes in the module that would allow a customer to hijack it and connect to other vm's. Part of this is the Vultr API, but the credentials to connect to that API are stored in the module. I don't code, so when I suggest an audit, it's just a suggestion. Another one would be talk to the Blesta guys, get them to review it. I don't know. But module security should be a very important aspect of all this. Don't take this personally I'm super interested in the module, but if I'm going to trust it by giving access to Vultr like that, there needs to be some sort of check and balance in place Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 12, 2016 Author Report Share Posted September 12, 2016 redacted Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 12, 2016 Report Share Posted September 12, 2016 I wasn't saying you would do that at all. I'm saying a customer signs up, the module provisions their vps on vultr. What stops them from hijacking the module via sql injection or whatever the cool new way to hack into things is, and taking over functions of the vultr account? That's what I'm most concerned about. Same thing with other modules like cPanel Extended, and others where there's a possibility of a hack. Nothing is 100% hack proof, so all i'm asking for is if there is a way to have someone else review the code for you, a second set of eyes that could catch something obvious that 99.999% of the hackers would know how to do. And for the 0.001% chance of being hacked, well, we all live with that risk and mitigate it as much as possible. domaingood 1 Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 12, 2016 Author Report Share Posted September 12, 2016 redacted Quote Link to comment Share on other sites More sharing options...
PauloV Posted September 13, 2016 Report Share Posted September 13, 2016 Hello timnboys Thanks for the great Blesta Module release Hopping to see more new releases for Blesta Regards, PV Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 13, 2016 Author Report Share Posted September 13, 2016 2 hours ago, PauloV said: Hello timnboys Thanks for the great Blesta Module release Hopping to see more new releases for Blesta Regards, PV Okay thank you didn't see your reply until now. Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 13, 2016 Author Report Share Posted September 13, 2016 redacted Quote Link to comment Share on other sites More sharing options...
Paul Posted September 13, 2016 Report Share Posted September 13, 2016 1 hour ago, timnboys said: after thinking of this more you do realize I don't use sql at all right? and if I do I use blesta's native functions to access blesta's db so technically if you feel this module isn't secure you are kinda saying blesta isn't secure then which you would be wrong on as there is no way I make my own sql functions up I would rather use blesta's native exposed db functions that are much more secure then something I can come up with. see this: https://docs.blesta.com/display/dev/Database+Access ^ this is what I use; what is so insecure about that? in my opinion @AnthonyL your making a big issue out of something that isn't. It's unlikely that any SQL injection exists in your module because of the way Blesta is designed, so long as you're not running your own queries outside of the record component. Still, security is a legitimate concern and modules could be vulnerable to XSS or other vulnerabilities. I don't think @AnthonyL is trying to attack you, and it doesn't mean that you've done anything wrong. ariq01 and Michael 2 Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 13, 2016 Report Share Posted September 13, 2016 Ugh guys. This is bordering on the ridiculous. All I asked was if he could get his code reviewed so those purchasing the module can have a good amount of trust that obvious exploit vectors are checked and eliminated he said "no, costs too much" end of story as far as I'm concerned. I'd love a vultr module, but not at the cost that the module could be exploited in an obvious way and wreck the business no one is attacking anyone. I asked a question Paul 1 Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 13, 2016 Author Report Share Posted September 13, 2016 1 hour ago, AnthonyL said: Ugh guys. This is bordering on the ridiculous. All I asked was if he could get his code reviewed so those purchasing the module can have a good amount of trust that obvious exploit vectors are checked and eliminated he said "no, costs too much" end of story as far as I'm concerned. I'd love a vultr module, but not at the cost that the module could be exploited in an obvious way and wreck the business no one is attacking anyone. I asked a question first of all yes I can get it examined the guy on twitter that found the RCE in blesta said he would "audit" my code for me(said that to me in a ticket a while back) I don't see how you can do it with it ioncubed but I will give him the source code also if he asks for it, but the point is no one has asked me for an "audit" on my code before that is where I got confused anyway if it makes you happy @AnthonyL I will go and get that guy on twitter to "audit" it for me then. Rocketz 1 Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 13, 2016 Report Share Posted September 13, 2016 Awesome - I'm not a coder, but from what I know, these people sign NDA's and can be held legally responsible if code leaks out. There has to be some sort of trust, but an NDA is a good way to protect each party too. When it comes to running a business and the implications involved, I'm very strict with what runs where. Never take that personally, it's a business thing. Anything that even remotely touches something that can cripple the business needs to be vetted in some fashion. I look forward to the results! Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 14, 2016 Author Report Share Posted September 14, 2016 On 9/13/2016 at 5:21 PM, AnthonyL said: Awesome - I'm not a coder, but from what I know, these people sign NDA's and can be held legally responsible if code leaks out. There has to be some sort of trust, but an NDA is a good way to protect each party too. When it comes to running a business and the implications involved, I'm very strict with what runs where. Never take that personally, it's a business thing. Anything that even remotely touches something that can cripple the business needs to be vetted in some fashion. I look forward to the results! Security Report finished look here for the pdf: Link to Report https://twitter.com/pwnsdx/status/775897491367661568 ^ hash ariq01 and Michael 2 Quote Link to comment Share on other sites More sharing options...
Paul Posted September 14, 2016 Report Share Posted September 14, 2016 13 hours ago, timnboys said: Security Report finished look here for the pdf: Link to Report https://twitter.com/pwnsdx/status/775897491367661568 ^ hash Nice job having it independently reviewed. Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 14, 2016 Author Report Share Posted September 14, 2016 6 hours ago, Paul said: Nice job having it independently reviewed. okay thanks Paul 1 Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 14, 2016 Report Share Posted September 14, 2016 I'll put my money where my mouth is Can we expect continued development of this module? Especially the customization options like using snapshots, or allowing customers to take snapshots, etc Quote Link to comment Share on other sites More sharing options...
Rocketz Posted September 14, 2016 Report Share Posted September 14, 2016 FYI : My questions are not about being picky. I realize now you're a college student, so I hope this is more of a learning experience for you, and for other module developers. When you run a business that holds other peoples' critical data, it's extremely important to vet everything that touches or can affect that data. You just had the misfortune of having me interested in your module and these questions asked of you. But I'd ask these questions from any module developer that handles critical functions. Module developers should recognize you don't just cowboy code something, slap on a bit of UI and it's good to go. Businesses don't work that way. In my own environments, there's development, alpha, staging, and then production servers. And at each step, everything is checked over and over how any change interacts with other software on the server. And then there's the security, VPN, 2 factor, 1 time token codes, IP geolocation.. because it's data. Peoples' data and livelihoods, and you never take a chance with that. Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 14, 2016 Author Report Share Posted September 14, 2016 4 hours ago, AnthonyL said: I'll put my money where my mouth is Can we expect continued development of this module? Especially the customization options like using snapshots, or allowing customers to take snapshots, etc Yes you can expect continued development I haven't abandoned any of my other modules yet either 4 hours ago, AnthonyL said: FYI : My questions are not about being picky. I realize now you're a college student, so I hope this is more of a learning experience for you, and for other module developers. When you run a business that holds other peoples' critical data, it's extremely important to vet everything that touches or can affect that data. You just had the misfortune of having me interested in your module and these questions asked of you. But I'd ask these questions from any module developer that handles critical functions. Module developers should recognize you don't just cowboy code something, slap on a bit of UI and it's good to go. Businesses don't work that way. In my own environments, there's development, alpha, staging, and then production servers. And at each step, everything is checked over and over how any change interacts with other software on the server. And then there's the security, VPN, 2 factor, 1 time token codes, IP geolocation.. because it's data. Peoples' data and livelihoods, and you never take a chance with that. Yes I agree you're very strict for security reasons Yes and I should have expected that Yes but let me inform you it was already production ready when it was announced considering it went through a lot of Q&A testing before even being released/announced by me and before even getting the "Stable" category label. @AnthonyL does this answer all of your questions? Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 16, 2016 Author Report Share Posted September 16, 2016 patch will be incoming for this module as well to patch it to work with blesta v4 as well(as well as the rest of my modules I just hate having to go to each thread and say the patch will be coming for support for blesta v4 on each topic that is why I am saying it here only lol) Quote Link to comment Share on other sites More sharing options...
austenite Posted September 17, 2016 Report Share Posted September 17, 2016 Great work @timnboys, looking forward to giving this a trial run! Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 17, 2016 Author Report Share Posted September 17, 2016 18 minutes ago, austenite said: Great work @timnboys, looking forward to giving this a trial run! okay great! would be happy to make sure you are a happy & satisfied customer please contact me via ticket in WHMCS if you have any problems. Quote Link to comment Share on other sites More sharing options...
austenite Posted September 17, 2016 Report Share Posted September 17, 2016 7 minutes ago, timnboys said: okay great! would be happy to make sure you are a happy & satisfied customer please contact me via ticket in WHMCS if you have any problems. Getting a license invalid error, are you available via live chat or anything to give me a hand? Quote Link to comment Share on other sites More sharing options...
timnboys Posted September 17, 2016 Author Report Share Posted September 17, 2016 3 minutes ago, austenite said: Getting a license invalid error, are you available via live chat or anything to give me a hand? yes I have livechat I just need to login to it(and it seems a bug I have already spotted causing the license invalid error patch will be uploaded in a sec) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.