Operators Can see ANY Ticket

[Derwood]

G'day All,

I have had one of the operators of our setup of TTX demonstrate something to me that worries me a little. When logged in and by using the web address line in any browser they can look at any ticket they have access to. An example address is shown below;

http://(your web address)/ttx.cgi?cmd=ticket&sid=&key=16462&style=

by changing the TTX number, they can then view any ticket they like. Regardless of if they belong to that group and should have visibility or not.

I block groups from some of my operators for very good reasons and I am wondering if we can do something about this?

(Using TTX V3.0 and SQL, not 100% sure of the server details)

thanks
Darren

[Sparky]

This is how TTX has always worked.

Anybody, not just operators, can view any ticket if they have the corresponding access key.  However, somebody who is not logged in as an operator would need the full long version of the key.

Feel free to send a message to Alex at his helpdesk if you feel that your setup is not secure enough.

[Alex]

Thanks for heads up. The problem is fixed, updated files are available through SVN repositories:

version 3.01 (latest official release)

https://www.unitedwebcoders.com/fisheye/browse/TTX/release-3.01
or
https://www.unitedwebcoders.com/fisheye/browse/~raw,r=850/TTX/release-3.01/TTXTicket.pm
or
http://svn.unitedwebcoders.com:8082/svn/ttx/release-3.01/


latest development snapshot:

https://www.unitedwebcoders.com/fisheye/browse/TTX/trunk
or
http://svn.unitedwebcoders.com:8082/svn/ttx/trunk/