PDF Invoice Downloads

[Mike230]

Someone alerted me to this yesterday

 

If you take the invoice download link and modify the invoice ID you can access all clients invoices

 

I cant post links yet since my account on the forum is brand new but for example yourdomain.com/clients/dl.php?type=i&id=1244

 

Where 1244 is the invoice ID. If you modify that number you can access other clients invoices without needing to be even logged in to any account at all.

 

Is there any way this can be fixed? Thanks!!

[Rogue-Ident]

It doesn't do that for me...

 

Actually, it gives me this message;

An Error Occured. Please Try Again.

[Nathan123]

I also get " An Error Occured. Please Try Again. "

 

Maybe you should open a support ticket Mike230.

[trine]

Actually, we have noted this too when we first installed and tested 3.12 . We added a session check to a modified pdf generation tool to prevent pdfs from being viewed if no active session is available.

 

If a new clean install still does this, then you should report it as a bug, and open a ticket, as this is quite serious.

 

just my two cents...

[Joweb]

I can also view invoices this way. Why is that?

 

When trying to view you must change client to your whmcs directory and use an active invoice number.

 

yourdomain.com/clients/dl.php?type=i&id=1244

yourdomain.com/whmcsdirectory/dl.php?type=i&id=activeinvoicenumber

[trine]

If a mod could move this to bug reports, that would be good.

[DataHosts]

***moving for verification*****

[Matt]

This issue is corrected in 3.2.

 

Matt