EhsanCh Posted January 19, 2012 Share Posted January 19, 2012 (edited) Hi friends. As you may know , resellerclub uses your full username and password for API authentication so if you were to be compromised (for example by a bug or insecure hosting) he can access to all of your domains. the solution is a separate and limited API user , and it can be done only by resellerclub. i request all of you to vote for this request on Resellerclub feedback system at folowing link : http://feedback.resellerclub.com/forums/19909-general/suggestions/2492951-please-pay-more-attention-to-security Please pay more attention to security To Vote , simply login to your resellerclub account , at TOP Right of control panel you see a feedback link , click on it to login to feedback system and click on above link. or search by subject : "Please pay more attention to security" Edited January 19, 2012 by EhsanCh 0 Quote Link to comment Share on other sites More sharing options...
cenourinha Posted January 22, 2012 Share Posted January 22, 2012 With the API, wouldn't it be possible to get all the information too? They should log all the actions, but it seems their system is very secure at this moment. They even limit the IP access to the API, so only your server IP will be able to connect to the API. 0 Quote Link to comment Share on other sites More sharing options...
EhsanCh Posted January 22, 2012 Author Share Posted January 22, 2012 But if someone can access API password , he can login to resellerclub and add his ip to allowed list. he can also move all domains to another panel. someone that has api password , has unlimited access. 0 Quote Link to comment Share on other sites More sharing options...
Saviola8x Posted January 24, 2012 Share Posted January 24, 2012 But if someone can access API password , he can login to resellerclub and add his ip to allowed list. he can also move all domains to another panel. someone that has api password , has unlimited access. You should create Company account and remove API Access function or any functions without needed for automatic provisioning and management. And if you lost password of resellerclub api account through whmcs so you may lost much than it . Should take care security of your system. But I think Resellerclub's reseller can set permission for sub-reseller, I afraid about move service function. 0 Quote Link to comment Share on other sites More sharing options...
EhsanCh Posted January 27, 2012 Author Share Posted January 27, 2012 You should create Company account and remove API Access function or any functions without needed for automatic provisioning and management. And if you lost password of resellerclub api account through whmcs so you may lost much than it . Should take care security of your system. But I think Resellerclub's reseller can set permission for sub-reseller, I afraid about move service function. -Company account cannot access API function and cannot be used in whmcs. -yes, we shuld take care security of our system . but nothing is 100% secure, specyally in shared hosting. every time a bug may be found in our hosting softwares or in whmcs... so ? - no permission can set for subreseller , and even if it can set it is not usefull because we need it under main account. 0 Quote Link to comment Share on other sites More sharing options...
EhsanCh Posted June 3, 2012 Author Share Posted June 3, 2012 Dear resellerclub resellers, as you see these days , any hosting can be accessed by hackers, even WHMCS servers. so please vote for this feature to avoid losing your domains : You have to login to your resellerclub panel , then click on feedback link on top right of your control panel, then click this link : http://feedback.resellerclub.com/forums/19909-general/suggestions/2492951-please-pay-more-attention-to-security 0 Quote Link to comment Share on other sites More sharing options...
Blitheheha Posted June 11, 2012 Share Posted June 11, 2012 You have to login to your resellerclub panel , then click on feedback link on top right of your control panel It is right and I noted it 0 Quote Link to comment Share on other sites More sharing options...
EhsanCh Posted June 18, 2012 Author Share Posted June 18, 2012 And dont forget to vote for it 0 Quote Link to comment Share on other sites More sharing options...
EhsanCh Posted July 12, 2012 Author Share Posted July 12, 2012 Dear Reselleclub resellers , dont forget to vote for this feature : http://feedback.resellerclub.com/forums/19909-general/suggestions/2492951-please-pay-more-attention-to-security 0 Quote Link to comment Share on other sites More sharing options...
imaticon Posted July 13, 2012 Share Posted July 13, 2012 Hi All, As you may know , resellerclub uses your full username and password for API authentication Not at all correct. reseller id and password, not full username@domain.tld However, I agree to have separated access credentials for the Control panel as well for the API access. This is really needed indeed. Regards, Marco 0 Quote Link to comment Share on other sites More sharing options...
imaticon Posted July 13, 2012 Share Posted July 13, 2012 With the API, wouldn't it be possible to get all the information too? They should log all the actions, but it seems their system is very secure at this moment. They even limit the IP access to the API, so only your server IP will be able to connect to the API. Be sure it is secure if: - CURL SSL is used - Accessing the API from a browser with http is NOT SECURE and should be avoided. And yes, any action made through the API is logged. Regards, Marco 0 Quote Link to comment Share on other sites More sharing options...
EhsanCh Posted July 30, 2012 Author Share Posted July 30, 2012 (edited) Only your server IP can connet to API, BUT if someone have api password (that is same as your web panel password) he can login to resellerclub control panel and access to your whole account from any ip. even change your username and password or transfering domains. Edited July 30, 2012 by EhsanCh 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.