Warning: you might be sharing your admin URL

[snake]

Just discovered a security issue today.

If you use a custom admin URL, beware, that replying to tickets via email (rather than logging into the admin) may be sharing your admin URL.

I noticed this today, when a suspicious looking customer tried to login to my admin.

I then noticed that my reply to his ticket, which I had replied to from my mobile phone, had the admin URL in it, as WHMCS had not stripped out the previous email I was replying to, which was the notification email from whmcs about the ticket, which has a link your you admin in the content.

So you might want to avoid replying to your tickets via email.

 

[bear]

It's never been a secret, just slightly obscured. Loads of emails from the system include that path (for no reason at all I can fathom).

[snake]

if you have a custom admin url, then it is supposed to be a secret, that's the point. Otherwise you tend to get lots of hack attempts.

WHMCS normally strips previous replies from emails when it imports them, but this seems to have stopped working.
I also do not reply to tickets via email very often, only when not in front of my computer, so have not noticed this before.

[bear]

26 minutes ago, snake said:

if you have a custom admin url, then it is supposed to be a secret, that's the point.

I'm aware. 
I also don't see the point of "branding free" not applying everywhere, but that's the way they do things. 

[snake]

not sure what "branding free" has to do with this?

[bear]

Nothing directly, just another thing that makes no sense with WHMCS. Reveal the "secret" admin URL in various places, have paid "branding free" that only applies to the front end (but not many emails or the entirety of the admin, where they feel we need to be reminded what software we're paying for) and so on.