Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Ticket Number Display after Posting?

Is it possible for the system to display the ticket number when the user posts using a New Ticket form? When the success screen appears it does not provide the ticket number. If it did, I could ask the user to note the ticket number in case they do not receive the email.

The problem I find is that lately email is very unreliable. I get returned email from Yahoo, Comcast, AOL and others telling me that my email is consistent with Spam even though I seldom send email. They they are very vague about exactly why they are blocking my email--yet, my inbox continues to be full of spam that isn't blocked. I had to have my ISP turn off the mail system check with Spamhaus because even my dynamic IP from Verizon was blocked in Spamhaus from sending mail to my own mail handler on a dedicated server. (sorry for the rant, but really tired of this. I thought I could solve it with Goggle, but cannot seem to get it to work with OsTicket.)

Thanks for any help.

Comments

  • EllenChen;8822 said:
    Is it possible for the system to display the ticket number when the user posts using a New Ticket form? When the success screen appears it does not provide the ticket number. If it did, I could ask the user to note the ticket number in case they do not receive the email.
    Displaying the ticket number would be a security vulnerability. This is mainly because osTicket uses email/ticket ID as login info to access all previous tickets.

    As for the spam issue, you should look into using SMTP for outgoing emails.
  • Why is it a security issue?

    If the user is the only one that sees the ticket number and it's only appears once after posted, it is not much of a security issue. It would be no different than when the user has to enter the ticket number. It does not treat the ticket number as a password so it is also viewable then.

    Sorry, this email issue may be for a different thread, but it is part the reason I'm looking at this. I use SMTP, but it seems that groups such as Yahoo and AOL are blocking a complete ranges of IP addresses. How would SMTP help this? I have dedicated server with Linux. The Web sites on my server have their own IP, I use Plesk Control panel for settings. If I have the mail system on my box check Spamhaus, I cannot even send mail to my own mail server using SMTP since mail server say that my IP used to logon to through my DSL modem to Verizon is blocked by Spamhaus. And I'm told that Spamhaus cannot be remove the block per Verizon's policy and Verizon tells me to call Spamhaus. And then there is the case of customer unwittingly blocking email, and maybe that triggers the block from their provider. Their is no winning this email war--email is broken.
  • EllenChen;8827 said:

    I use SMTP, but it seems that groups such as Yahoo and AOL are blocking a complete ranges of IP addresses.
    If this is the case, then your only course of action is to contact your hosting provider and have them get those IP ranges removed from the blacklist.

    To find out if this is really the case, you can look up your IP address here: www.dnsbl.info/dnsbl-database-check.php
  • EllenChen;8827 said:
    If the user is the only one that sees the ticket number and it's only appears once after posted, it is not much of a security issue. It would be no different than when the user has to enter the ticket number. It does not treat the ticket number as a password so it is also viewable then.
    Trust me I won't just say it was a security issue if it wasn't. You are not thinking in terms of the whole system. See http://osticket.com/forums/showthread.php?t=195 for explanation why it is a bad idea to display the ticket number.
  • I think you might be missing the point here....

    Two different scenarios here:

    1. You create a ticket.
    2. Ticket info gets e-mailed to you.
    3. You go to the site and log in with ticket number and e-mail to check your ticket.

    Your ticket number isn't hidden when entering it into the login field (your main argument why this isn't a security issue). Who's going to see it? The guy standing behind you? I assume you know he's there.

    Next scenario:

    1. You create a ticket.
    2. Ticket number is displayed after you create the ticket.
    3. You log in with ticket number and e-mail to check your ticket.
    4. The guy down the street decides he wants to access your account.
    5. He goes to the site, creates a new ticket witn your e-mail address.
    6. The ticket number is shown to him after he creates the ticket.
    7. He logs in with your e-mail and the new ticket number he has just created, and now has access to your entire ticket history.

    If you can have a ticket number handed to you on a silver platter any time you want one, then ALL you need to access a client's ENTIRE ticket history is their e-mail address. Most people publish these e-mail addresses in plain site on their web sites, and even if they don't, they're not hard to guess (support@, sales@, info@, webmaster@, etc.).

    There is no way that displaying ticket numbers in any format other than through e-mail is NOT a security risk.
  • Got It

    Thanks, got it. So the only real solution is a user name and password.

    Thanks
    Ellen Chen
  • Just incase anyone does want to implement this despite the "confidentiality" risks... All that is required is to add this into

    include/client/thankyou.inc.php


    <p>
    As it is possible that you are unable to access your email, please see details of the ticket below
    <h3 style='color:#DA0404;'>IMPORTANT! Do not loose the ticket number</h3><br/>
    Ticket Number - <?=$ticket->extid;?> <br/>
    Email - <?=$ticket->getEmail();?> <br/>
    Login Link - <a href='http://www.example.com/support/view.php?e=<?=$ticket->getEmail();?>&t=<?=$ticket->extid;?>' target='_blank'>http://www.example.com/support/view.php?e=<?=$ticket->getEmail();?>&t=<?=$ticket->extid;?></a><br/>
    </p>



    Would be better if it pulled the address from the config but ran out of time to find it
  • Just to remind you back again

    Hi there,

    I am definitely agree with peter and Kelli.

    Let me always to remind and strongly recommend you about this important issue:

    Never Display The Ticket Number After Client Submit A New Ticket!

    http://www.openscriptsolution.com/2009/08/27/never-display-the-ticket-number-after-client-submit-a-new-ticket/

    Sincerely,
    Masino Sinaga
  • Displaying Ticket Number

    My need is similar however it is at the staff level.

    Presently the only method I have found for a support agent to be able to view the ticket number that they just created on behalf of a client is to have "admin" permissions enabled.

    This is a solution but the down side to this is that one a staff member has admin assigned they can then see all of the other departments.

    I'm looking for a way to simply display "Ticket # 123456" after staff creates a ticket on behalf of a customer.

    IE. "Ticket #123456 Successfully Created!"
  • Not to be contrary... I feel that there are situations where this isn't a security risk (or at least isn't really as big of one as these posts make it sound).

    scenario: One of our osticket sites is only available on the local LAN in our intranet (ie here at work). You also need to authenticate against the web site with a username and password (specifically with a valid login against Active Directory).

    However, I completely agree that on our public site, the displaying of it is a security risk, and I would never do it.
  • EllenChen;8845 said:
    Thanks, got it. So the only real solution is a user name and password.

    Thanks
    Ellen Chen

    hi ellen,

    have you for this idea a sulotion ?

    br
    lex
This discussion has been closed.