Cody

Mastercard/Visa rules are clear that the CVV may not be stored in any form. Sending the CVV over email is storing as the message is sent to a mail server where it is retained. Moreover, sending any card data over email is extremely insecure, especially in plain-text. All that's needed to process a card in most instances is the number, expiration date, and CVV. If the email contained the CVV, and 8-digits of the card number, it's entirely possible to guess the expiration date and the other 8 digits, as the first four digits tell you the card type and the Luhn alogrithm narrows it down significantly. PCI also states that any portion of the card number stored must be encrypted. This includes the last four digits as well, so again, sending that in plain-text over email is a big no-no.

Version 3.1.0-b1 is now available. You can download it in the Client Area. This is a BETA feature release. This release is not considered stable enough for production use. Please report any bugs in the 3.1 beta bug forum. Upgrading Blesta See Upgrading Blesta in the User Manual for instructions. Release Notes - Blesta Core - Version 3.1.0-b1 ## Version 3.1.0-b1 2013-12-20 ### Bug * [CORE-753] - Service Suspension Error email template is never used * [CORE-754] - Service Unsuspension Error email template is never used * [CORE-756] - A/R Report email template is never used * [CORE-757] - Invoice Creation Report email template is never used * [CORE-759] - Service Cancel Error email template is never used * [CORE-773] - Support Manager: Simplify email pipe script for use in various control panels * [CORE-945] - Module::getServiceName() expects invalid service_name config.json attribute ### Improvement * [CORE-156] - Create note on failed auto-debit, payment account removal * [CORE-247] - cPanel: Auto-generate username/password fields * [CORE-286] - Package welcome emails do not show currency code * [CORE-382] - Universal Module: Add tooltips * [CORE-392] - Add view/edit invoice links in transactions listing * [CORE-437] - Use Password field when manually adding client account * [CORE-503] - Module: cPanel - when creating new accounts include an email address * [CORE-541] - Add the ability to delete addon companies. * [CORE-570] - Group and designate addons as such on invoices * [CORE-589] - Add ability to disable attachments for email invoice delivery * [CORE-591] - Add option to clear cron task locks * [CORE-593] - Remove append to invoice option when creating new service if no invoices exist * [CORE-596] - Support Manager: Use schemeless URLs for gravatar images * [CORE-601] - Add client id to client area * [CORE-608] - When recording payment, allow installed gateways to be selected for payment type * [CORE-670] - Add option to internally switch between module rows in the same package module group when managing a service * [CORE-673] - Add additional staff group permissions * [CORE-674] - Support Manager: Open ticket set placeholder for client search * [CORE-677] - cPanel Module: Round disk/bandwidth usage to hundredths * [CORE-695] - Add force HTTPS to htaccess (disabled by default) * [CORE-700] - Link Emails setting to Email Templates by default * [CORE-703] - Update SDK and manual to cover missing auth in cgi/fastCGI * [CORE-705] - Import Manager: WHMCS Migrator * [CORE-706] - 2Checkout: phone number and email address are not sent to the gateway when processing payment * [CORE-732] - Billing at a Glance Plugin: Add Revenue this Year * [CORE-750] - Service Creation email should set formatting on package pricing price values * [CORE-751] - Add currency format filter to h2o email template parsing * [CORE-791] - Increase the size of the text field containing the cron command * [CORE-792] - CMS: Add support for port number in CMS URLs * [CORE-810] - Support Manager: Allow departments to override email template from address * [CORE-814] - Installer: improve temp directory detection * [CORE-816] - Add support for automated CLI installation * [CORE-821] - Update instances of "-- Please Select --" to use global language * [CORE-822] - Simplify modules with use of configuration file * [CORE-826] - Update About Blesta Credits * [CORE-832] - SolusVM Module: Allow provisioning by node groups * [CORE-835] - Redirect nonmerchant gateway notifications to the client interface * [CORE-843] - SolusVM: Remove password support of special characters * [CORE-848] - CLI Installer: Add ability to specify hostname * [CORE-849] - API: Add commands to return version information * [CORE-850] - Languages need to distinguish between right-to-left and left-to-right * [CORE-857] - Manually emailing a closed invoice does not update it's status from unsent to sent. * [CORE-876] - Invoices: Add client tax ID to invoice if set * [CORE-889] - Order Plugin: Update order received email templates on install * [CORE-891] - Simplify gateways with use of configuration file * [CORE-892] - Simplify plugins with use of configuration file * [CORE-896] - Add custom PDF Invoice fonts defined per language * [CORE-898] - Service notice emails should use the given company ID rather than the configured company * [CORE-913] - Support Manager: Remove redundant tooltips from add/edit staff schedules * [CORE-917] - Integrate VAR Customizations configuration * [CORE-918] - Upgrade to jquery 1.8.3, resolve compatibility issues * [CORE-922] - Cron should handle exceptions when running all tasks * [CORE-925] - Support Manager: Update instances of "-- Please Select --" to use global language * [CORE-926] - Order plugin: Update instances of "-- Please Select --" to use global language * [CORE-929] - License Manager: Set wildcard for domain, ip, path if license module configured not to validate * [CORE-936] - PHPIDS: Update filters * [CORE-942] - Add strict adherence to semantic versioning with pre-releases * [CORE-943] - Import Manager: Add Blesta 3.1 support for Blesta 2.5 migrator ### New Feature * [CORE-77] - Module: Proxmox * [CORE-384] - Module: VPS.NET * [CORE-386] - Module: Enom * [CORE-466] - Module: GoGetSSL * [CORE-512] - Add cancel at end of term package option * [CORE-606] - Support Manager: Add staff signatures * [CORE-628] - Add ability to sort packages within package groups * [CORE-676] - Add total credits to client area * [CORE-701] - Allow attachments to be disabled on a per email template basis. * [CORE-708] - Support Plugin: Allow clients to re-open closed tickets * [CORE-721] - Add manually definable configurable options to packages * [CORE-736] - Gateway: CCAvenue * [CORE-743] - Billing at a Glance Plugin: Add year to date revenue graph * [CORE-884] - Shared Login Plugin * [CORE-909] - Add optional X-Frame-Options header to .htaccess * [CORE-941] - Module: TheSSLStore ### Task * [CORE-43] - Complete Event System * [CORE-51] - Make All Email Templates Work * [CORE-70] - Remove Exponential Backup for Auto Debit * [CORE-431] - Add README to install/upgrade zips * [CORE-619] - Allow tax rules to be deleted * [CORE-742] - PayPal Payments Standard: Add additional currency codes * [CORE-755] - Service Unsuspension email should be sent when a service is unsuspended * [CORE-760] - Add Staff Email Subscription Notices * [CORE-885] - Remove Foxrate exchange rate processor * [CORE-900] - Add a service provisioning error email template * [CORE-911] - Support Manager: Add staff titles ### Sub-task * [CORE-902] - Add selected values to options on review checkout page * [CORE-903] - Add selected values to options in cart * [CORE-904] - Quantity options do not observe min, max, and step settings * [CORE-905] - Implement jquery UI slider for quantities ---

Version 3.0.7 is now available. You can download it in the Client Area. This is a patch release that corrects issues with 3.0.0. Patching Blesta See Patching Blesta in the User Manual for instructions. Release Notes - Blesta Core - Version 3.0.7 ## Version 3.0.7 2013-12-20 ### Bug * [CORE-873] - Favicon missing * [CORE-877] - Security: Support Manager: XSS vulnerability in support manager * [CORE-882] - Line item setup fees do not observe setup fee tax setting * [CORE-887] - Updating a package to change a module group back to Any does not save this change * [CORE-888] - Contacts::add/edit rule validation should ensure only one 'primary' type per client_id * [CORE-890] - Universal Module: Fields fail to validate when pending services approved via cron. * [CORE-897] - Autodebit may reattempt same invoice in same day if payment failed * [CORE-906] - AmazonS3 Backup fails with period (.) in bucket name * [CORE-907] - Client numbers fail to increment when clients_start is greater than current max number * [CORE-915] - 2Checkout: Fails to approve live transactions * [CORE-919] - Root web directory replacement not case-insensitive * [CORE-920] - PayPal: Validate should check either business or receiver_email for match on account * [CORE-921] - Report Manager does not exit after streaming file data for download * [CORE-927] - Client contact numbers appear on the same line in the client interface * [CORE-931] - Security: XSS vulnerability in client payment process * [CORE-932] - Security: Potential XSS vulnerabilities in use of Html::concat() * [CORE-933] - Backup settings incorrectly set messages * [CORE-934] - PHPIDS: Blank minimum impact rating is treated as zero instead of disabling action * [CORE-938] - Services::setFields may cause deadlock * [CORE-940] - Client setting for auto suspension does not disable auto suspension ### Task * [CORE-879] - Exchange rates through Google Finance no longer working ---

Copy /components/gateways/nonmerchant/offline/ and rename it to offline2. Rename /components/gateways/nonmerchant/offline2/offline.php to offline2.php. Open /components/gateways/nonmerchant/offline2/offline2.php and change: class Offline to class Offline2 Update language to your preference in /components/gateways/nonmerchant/offline2/language/en_us/offline.php.

We have plans for LDAP integration in the future.

This bug has been confirmed and is fixed in 3.0.7.

Yes. Add the client to a client group that has Suspend Services Days After Due set to "Never".

Added CORE-940 to investigate.

My reply was to the OP. Your issue sounds like you have other unpaid invoices open for the client. Are you sure you have disabled auto suspension on the client profile?

Don't forget multi-company.

You could fetch the markup for the system overview widget, but it won't look right outside of Blesta because it will be missing all of the CSS/javascript necessary to render it correctly.

There is a known issue (CORE-827) fixed in 3.0.5 that fixes suspending services with Plesk. There may be other issues related as well. My recommendation would be to upgrade to the latest version (3.0.6) and attempt to duplicate the issue.

CORE-888 fixed in 3.0.7.

This is a "Won't Fix" issue. SSL wildcard certs only work for a single subdomain of the cert'd domain. So *.s3.amazonaws.com works only for something.amazonaws.com, not something.something.s3.amazonaws.com. Since buckets are accessed via [bucketname].s3.amazonaws.com you can't have periods in your bucket name and connect to them via SSL. Instead, to do this you must use something like cloudfront, but Blesta does not yet allow you to specify the host for the AmazonS3 connection. Consider replacing periods with hyphens in your bucket name or open a feature request to add support for cloudfront.

Log into enom, then go to [Resellers] > [API] > [Test Account].

Works fine for us. Do you have an enom sandbox account you can test with?

You can't modify credit card handling to be used for gift cards. This is why Visa/MasterCard have created debit gift cards. You would need an entirely separate payment handling process to deal with gift cards, or use a payment processor that supports them.

Already in there. CORE-606 done for 3.1.

A plugin could listen for either the Transactions.add or the Invoices.setClosed event handlers, and then send an email alert if payment was for more than the invoiced amount.

I've been kicking around the idea of a plugin to do that sort of thing.

This is only the beginning.

We've been strongly considering this.

If you have entered the correct user and password (the same details you use to log into enom) then you do not have the IP address of your blesta server whitelisted in your enom account.

It does, somewhat, as the lack of an initialization vector means that two matching plain-texts will always result in the same cipher text, though I am certain this is by design, and as I've stated is sufficient for its purpose (as the likelihood of matching plain-texts is quite low). I still don't see how the AES key is generated. Where does the entropy come from to generate the AES key? It really doesn't matter much as you've stated the keys can be reset. So I assume that means I could set it to anything I desired. I disagree simply because just about any device can be used as a TOTP token generator, so the key need not be hardcoded to the device (any such device is simply a poor design). In fact, the Yubikey itself (but not by itself) can be used as a TOTP token generator. That's true, but only if your device has a network connection (of some sorts), which isn't a requirement of TOTP. I think Yubikey is neat. Is it the most secure option? Well, that's up to the user and the cryptanalysts to decide.

Only if the server is properly maintaining the counter. TOTP works the same way to prevent code reuse.