Leaderboard

Based on my previous post, I set out this evening to fix the current security issue with the following goals in mind: Remove the Manage button by the service listing in all states except Active. Remove the Switch icons on service row expansion in all states except Active. If someone enters the direct URL to the cPanel Extended dashboard it disables all functionality and displays a message that the account is not properly setup (similar to default cPanel module). Add a notification message somewhere in the Admin so an administrator is aware the next time they login. Email an administrator of the failed provision (this might already be an existing Blesta feature). After getting familiar with Blesta and cPanel Extended codebases, I have fixed the issue and accomplished my first three goals. I'll continue to become more familiar with the codebase so I can complete goals 4 and 5 too. To accomplish goal #1, I wrapped the template code with a status active check. This removed the Manage button in the Options column of the service row. Here is the code: /app/views/client/[template]/client_services.pdt <td> <?php if ($this->Html->ifSet($status) == "active") { ?> <div class="btn-group"> <a href="<?php echo $this->Html->safe($this->base_uri . "services/manage/" . $this->Html->ifSet($services[$i]->id) . "/");?>" class="btn btn-xs btn-default"> <i class="fa fa-cog fa-fw"></i> <?php $this->_("ClientServices.index.option_manage");?> </a> </div> <?php } ?> </td> To accomplish goal #2, I wrapped the containing table row with a status active check. This disables the row expansion feature in all service states except active. Here is the code: /app/views/client/[template]/client_services.pdt <?php // List all services for ($i=0; $i<$num_services; $i++) { if ($this->Html->ifSet($status) == "active") { ?> <tr class="expand service_info"> <?php } else { ?> <tr> <?php } ?> <td><?php $this->Html->_($services[$i]->package->name);?></td> <td><?php $this->Html->_($services[$i]->name);?></td> To accomplish goal #3, I wrapped the sidebar tab building code with a status active check. This removes all of the cPanel Extended tabs and features from the /services/manage/ view. By removing the Manage button in goal #1 above, the average user will never be able to reach this URL. But for the tech savvy, it wouldn't be hard to figure out. And my goal with this fix is to prevent those tech savvy types from causing harm? So just in case this URL is called, unless the service is active, no manage features are available. Here's the code: /app/controllers/client_services.php public function manage() { $this->uses(array("Coupons", "ModuleManager")); // Ensure we have a service if (!($service = $this->Services->get((int)$this->get[0])) || $service->client_id != $this->client->id) $this->redirect($this->base_uri); $package = $this->Packages->get($service->package->id); $module = $this->ModuleManager->initModule($service->package->module_id); $module->base_uri = $this->base_uri; $method = isset($this->get[1]) ? $this->get[1] : null; // Set sidebar tabs if ($service->status == "active") { $this->buildTabs($service, $package, $module, $method); } I've also attached some screenshots showing the updated UIs where a cPanel Extended service is in PENDING state and management is basically disabled. Overall, I've had a fun night getting familiar with some of the code. Most importantly, I'm happy I was able to fix this security issue for my needs. I welcome any suggestions and advice from the Blesta Developers as well as cyandark. If there's a better way to fix this issue, please share so I can learn in the process. Thanks again for providing this community and everyone here who are so helpful. Cheers!

Version 2 Now Available Add kit order form (Kit Wizard with sidebar menu) What's new? Added Sidebar Menu 20 bug fix with blesta 4 Replace original jquery.sticky.js from blesta with theia-sticky-sidebar.js Update Bootstrap to latest stable 3.3.7 Replace jQuery Animation With Hardware Accelerated Sticky Box Order Summary Deletion Unused Jquery Color changed on blesta demo And More

Hi, Thanks for your feedback, cPanel extended has many bugs inherited from the ModulesGarden Version, We are working in new version with many of the functions rewriten from scratch using our Code Style like another Modules that we made from Scratch like SolusVM Extended. Everybody are welcome to make pull requests in the Github Repo.

look here: https://cubedata.net/verifydomain this is using Michael Dance's BlestaCMS to handle the html and returning the output from the backend It is also using javascript as well to make the form submit the request to the backend and then return the output using AJAX from jquery all without "refreshing" or "redirecting" the page like it should not do as during development I didn't want it actually redirecting to the backend on submit but instead to return the response from the backend on the same page with the form If anyone asks the Design of the website and logo & etc are all thanks to Michael Dance Aka @Licensecart who helped us build this design, and also donated to us the new logo & other things as well which I am very thankful for him doing that for me. as you see it actually functions as well:

I just dropped in a one-liner above the foreach construct, and it solved the problem. Thanks again.

Okay I just did change it to License Verification and changed the description to: This tool allows you to check if a domain is authorized to be running CubeData Software

Somehow I missed the entry in the module logs where cPanel Extended tried to call "createacct" and received an error back from cPanel. I attached a screenshot showing the log entry. So it looks like cPanel prevents a duplicate account with the same domain name from being created. That's good. And it appears like cPanel Extended responds to that error by setting the service in PENDING status. Now I'm thinking I would like for it to do the following: Remove the Manage button by the service listing in all states except Active. Remove the Switch icons on service row expansion in all states except Active. If someone enters the direct URL to the cPanel Extended dashboard it disables all functionality and displays a message that the account is not properly setup (similar to default cPanel module). Add a notification message somewhere in the Admin so an administrator is aware the next time they login. Email an administrator of the failed provision (this might already be an existing Blesta feature).

Correct. The default module created a Blesta account and added the service as PENDING. But you could not access the cPanel integrated features offered from the default module. Not sure if because it is PENDING or flagged from a failed attempt to provision the account. Either way, it prevents someone from spoofing a domain at purchase and gaining access later. I'm going through the cPanel Extended code this evening. I'm hoping I can simply remove the Manage options in all cases unless the service is Active. Plus, add prevention measures during the order process area. That would even be a little more than the default module does.

@Licensecart Thank you, sir.

I don't believe the cards can be used when using Ajax as it's a one page checkout. But if you want to just add the picture then edit: /plugins/order/views/templates/ajax/summary.pdt Edit this bit: <div class="radio"> <label> <?php $this->Form->fieldRadio("payment_type", $key, $this->Html->ifSet($vars->payment_type) == $key, array('class' => "payment_type")); $this->Html->_($value); ?> </label> </div>

Looks really good Nice and clean looking.

Thanks Mike, I'll just add, re #2. We can audit the code for a module or plugin for a fee, and label it as "Certified by Blesta". We haven't done this yet for any 3rd party extensions, but we're open to the idea. Re #6. Maybe. This would be on a case-by case basis. But, in large, our recommendation is that the developer release the extension as FOSS on Github.

There are guidelines which are listed here: https://docs.blesta.com/display/dev/Programming+Style+Guide but I'm not sure if Blesta check and force people to change it. Not that I'm aware of they can be audited if the developer wishes to do so. But if they follow the guidelines on the link above they shouldn't have any issues because the Blesta core is stable. Depends on the developer again, all Blesta modules / plugins / gateways are open. Same as point 2. None. Nope. PS these are from my experiences on the forum, the guys can add to the thread when they have time

Repeat with me, Blesta... Blesta... no Blaster. 1. All the Hosting and Domain modules of Blesta allow you to set your own NS. 2. Unlimited 3. Yes 4. Blesta don't sell domains, You need use a domain reseller like Enom or LogicBoxes and pay to them. @Licensecart Can help you with your doubts, he is a Blesta expert.

Giving someone you do not trust access to your code, via your templates or otherwise, is never a good idea. Blesta uses a template engine as part of minPHP, it just so happens it is very light weight. If I recall, Smarty had some major security vulnerabilities which affected at least 2 of our competitors. The bottom line is, you should only install extensions or themes from sources you trust.