Request from ResellerClub resellers for better security

[EhsanCh]

Hi friends.

As you may know , resellerclub uses your full username and password for API authentication so if you were to be compromised (for example by a bug or insecure hosting) he can access to all of your domains.

the solution is a separate and limited API user , and it can be done only by resellerclub.

i request all of you to vote for this request on Resellerclub feedback system at folowing link :

 

http://feedback.resellerclub.com/forums/19909-general/suggestions/2492951-please-pay-more-attention-to-security

Please pay more attention to security

 

To Vote , simply login to your resellerclub account , at TOP Right of control panel you see a feedback link , click on it to login to feedback system and click on above link. or search by subject : "Please pay more attention to security"

Edited January 19, 2012 by EhsanCh

[cenourinha]

With the API, wouldn't it be possible to get all the information too? They should log all the actions, but it seems their system is very secure at this moment. They even limit the IP access to the API, so only your server IP will be able to connect to the API.

[EhsanCh]

But if someone can access API password , he can login to resellerclub and add his ip to allowed list. he can also move all domains to another panel. someone that has api password , has unlimited access.

[Saviola8x]

But if someone can access API password , he can login to resellerclub and add his ip to allowed list. he can also move all domains to another panel. someone that has api password , has unlimited access.

 

You should create Company account and remove API Access function or any functions without needed for automatic provisioning and management.

 

And if you lost password of resellerclub api account through whmcs so you may lost much than it . Should take care security of your system.

 

But I think Resellerclub's reseller can set permission for sub-reseller, I afraid about move service function.

[EhsanCh]

You should create Company account and remove API Access function or any functions without needed for automatic provisioning and management.

 

And if you lost password of resellerclub api account through whmcs so you may lost much than it . Should take care security of your system.

 

But I think Resellerclub's reseller can set permission for sub-reseller, I afraid about move service function.

-Company account cannot access API function and cannot be used in whmcs.

-yes, we shuld take care security of our system . but nothing is 100% secure, specyally in shared hosting. every time a bug may be found in our hosting softwares or in whmcs... so ?

- no permission can set for subreseller , and even if it can set it is not usefull because we need it under main account.

[EhsanCh]

Dear resellerclub resellers, as you see these days , any hosting can be accessed by hackers, even WHMCS servers.

so please vote for this feature to avoid losing your domains :

 

You have to login to your resellerclub panel , then click on feedback link on top right of your control panel, then click this link :

 

http://feedback.resellerclub.com/forums/19909-general/suggestions/2492951-please-pay-more-attention-to-security

[Blitheheha]

You have to login to your resellerclub panel , then click on feedback link on top right of your control panel

It is right and I noted it

[EhsanCh]

And dont forget to vote for it

[EhsanCh]

Dear Reselleclub resellers , dont forget to vote for this feature :

http://feedback.resellerclub.com/forums/19909-general/suggestions/2492951-please-pay-more-attention-to-security

[imaticon]

Hi All,

 

As you may know , resellerclub uses your full username and password for API authentication

Not at all correct. reseller id and password, not full username@domain.tld

 

However, I agree to have separated access credentials for the Control panel as well for the API access. This is really needed indeed.

 

Regards,

Marco

[imaticon]

With the API, wouldn't it be possible to get all the information too? They should log all the actions, but it seems their system is very secure at this moment. They even limit the IP access to the API, so only your server IP will be able to connect to the API.

 

Be sure it is secure if:

- CURL SSL is used

- Accessing the API from a browser with http is NOT SECURE and should be avoided.

 

And yes, any action made through the API is logged.

 

Regards,

Marco

[EhsanCh]

Only your server IP can connet to API, BUT if someone have api password (that is same as your web panel password) he can login to resellerclub control panel and access to your whole account from any ip. even change your username and password or transfering domains.

Edited July 30, 2012 by EhsanCh