Hi,
I was reconstructing the customer panel today to change the layout and customize the template, and as I started working with the support ticket some lines of code went bad and I realized this:
Any customer can read any support ticket on the system just by changing the header value. For example: Customer 'A' created support ticket ID '3'. Customer 'B' created support ticket ID '5'. If you log in to customer 'A's account, click to view your ticket, the URL would go to: "http://domain.com/a2billing/customer/A2B_ticket_view.php?id=3"
If you change the get on that URL to id 5: "http://domain.com/a2billing/customer/A2B_ticket_view.php?id=5" You will be able to view the components of this ticket, which belongs to an other customer.
The system does not check who initiated each ticket, it just takes the ID, and displays the ticket. And you can reply to the ticket, and act as if it was your own even though it belongs to an another account.
I haven't seen any posts talking about this bug, if any are available please let me know.
Also, if anyone has any developed workaround for this it would be great to share. It is a simple task, but anybody with any information please share to make this easier for me and the community.
Also, would this have this bug reach A2billing team or should I submit it someplace else?
Appreciate your time and contribution. Thanks.
|