Gav Posted February 14, 2008 Share Posted February 14, 2008 Hello, A customer opened a support ticket today, I got the email and went to answer it, this is what I found (see attachment - image is taken from the client's login view) Not the posted date (customer) and the reply date (staff) - the reply date is BEFORE the customer submitted the ticket and contains sensitive information including a password. Luckily in this case the reply was to a previous ticket for the same customer, but I am very concerned about this and need to know that it's in no way possible for the system to send replies intended for other customers. Link to comment Share on other sites More sharing options...
WHMCS CEO Matt Posted February 14, 2008 WHMCS CEO Share Posted February 14, 2008 Not sure what you mean? Hasn't the customer just replied to an already existing ticket they had in their account rather than opening a new one? Matt Link to comment Share on other sites More sharing options...
Gav Posted February 14, 2008 Author Share Posted February 14, 2008 No they opened a new one and before I replied the reply from a previous ticket was displayed there. I'm not sure how this could have happened. BTW: the two messages you can see are the only ones there - there are no other replies. Link to comment Share on other sites More sharing options...
Daniel Posted February 14, 2008 Share Posted February 14, 2008 Looks to me as though they just replied to an existing ticket they had. Client 'A' can't reply to a support ticket that Client 'B' submitted.. Link to comment Share on other sites More sharing options...
Jordan Posted February 14, 2008 Share Posted February 14, 2008 Well, in all honesty, if they direct link to the ticket is given out, then anyone can view it. There is currently no else/if statement for being logged in, that will disable viewing the ticket contents. So, if I knew your website address, and the ticket ID number.. I'd be able to view it. Link to comment Share on other sites More sharing options...
WHMCS CEO Matt Posted February 14, 2008 WHMCS CEO Share Posted February 14, 2008 So, if I knew your website address, and the ticket ID number.. I'd be able to view it. That isn't the case. You would have to know both the ticket number and the random secret variable - you would not be able to view a ticket without both values. Gav, I suggest you open a ticket so I can take a look at your issue specifically if you think something went wrong and it wasn't a reply to an earlier ticket. At the current time there's nothing to suggest a bug. Matt Link to comment Share on other sites More sharing options...
Recommended Posts