Anonymous guests can create and view tickets

[mustardman]

Pretty sure this was not possible before updating to v6.3. WHMCS support is trying to tell me this is normal. Not sure what is normal about anonymous internet people able to access my ticket system without having to log in. They don't even have to use captcha. Just have to create the ticket by email first. So they can automate it and create SPAM quite easily I would think.

 

To reproduce send an email to your WHMCS support email from an email account not associated with any clients on the system. WHMCS will create a ticket and send a reply using the "Support Ticket Opened" template. When you get the reply just click on the link and view the ticket. No login of any sort require. No captcha even though I have that enabled. I also have Setup > General Settings > Support > Client Tickets Require Login checked.

 

According to their documentation this should not be possible when that box is checked although they tell me I am interpreting that wrong. Seems pretty clear to me and I am pretty sure that is how it worked before updating to v6.3

 

This is great for SPAMMERS. All they have to do is send emails to your WHMCS system and keep changing the "From" email header and your system will reply to whomever they make the "From" out to be. Not only that but they can view the ticket and change that email again. Thus it gives them twice the SPAMMING power and all easily automated with no captcha checks.

Edited April 4, 2016 by mustardman

[xyzulu]

You can restrict the opening of tickets to registered users if you like.