Jump to content

Just a little security advise

Recommended Posts

Password should not be readable in the mail history users account.

There should be a special variable field for email templates for secrets of sensitive data. Passwords should be inside those brackets. When composing email templates, the data should be sent top the user but afterwards removed if it's contained with the sensitive/secret variables tags.

WHMCS should detect this and erase or replace them, so they are not displayed in the emails history on the users account or registered in the SQL database in plain text anymore. Ideally they should be replaced with *******

This would avoid an attack that compromises an account in the future just looking at the mail history to get server and account logins. I know, I know, users are supposed to change them after first login but some don't and it looks just very bad in terms of security to be able to permanently see the login details by looking at the mail history.

This also defeats the sub user account permissions if they can just look at the mails history and get the logins for accounts which they don't have access.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated