Hover ticket preview a potential security threat

[NC Software]

When viewing the ticket list you can hover your mouse over the yellow ticket icon to preview the message. This hover preview is actually HTML and if your ticket content is HTML, it has the full capabilities of such. I had an issue the other day where a spam message had come in and in the process of moving the mouse to the checkbox to delete the message, the hover preview appeared and triggered a HTML new window to open the site the message was triggered to perform. I was confused at first as to what happened, how did this IE window get opened, then I realized someone carefully crafted this message such that when it's viewed in HTML it triggers as action!

You may want to rethink that yellow preview system to NOT be HTML as tickets themselves are NOT HTML, or at least that's the way it's set in my SS 3.10.02. Maybe this is a bug that the preview popup is not stripping HTML like tickets do?

Again, potential security threat in the ticket preview popup!

[Jamie Edwards]

Hi Neal,

Have you got "Convert HTML" to the respective entities enabled, or have you selected no processing of HTML (under Ticket options in the admincp)? Please let me know what level of HTML processing you have selected for this option.

Thanks,

[NC Software]

Jamie,

Tell me EXACTLY where in the AdminCP and what setting you want me to check INSTEAD OF sending me on a wild goose chase without YOU referencing the admincp first. I don't see the setting you allude to in your post, so tell me what you want.

Do NOT tell me again OR PM ME again to post in the correct forum. This is a usability design flaw on your part. I am the customer, I do the best I can to post in the best forum based on what I read on your forum home page listing. I see a forum title "Comments, Questions, and Feedback" so that's where I posted this. If you want to move it, that's up to you, but do NOT counsel me again regarding posting in the wrong place! Understood?

[Jamie Edwards]

It is found in the admincp under Settings -> Tickets you will see the option:

http://jamie.kayako.org/screenshots/...2627030759.png
http://jamie.kayako.org/screenshots/...2727030737.png

What do you have it set to?

===

With regards to me asking you to post in the correct forum - for the benefit of readers, this was not done in a rude way and was a request simply to look at the forum descriptions as guidance on where to post thing.

I have to move very few posts as a result of people posting in the incorrect place.

If you are not happy about the forum rules or my (or any other forum moderator) contacting you about forum related matters, then please do not use the forum. The community forum (as stated clearly - almost everywhere) is not a guaranteed support medium. The community here is largely made up of people happy to spare some time to help others users. If you wish to receive direct and dedicated support, please contact the support department.

Thanks,

[NC Software]

It is set to strip tags. However, my post is saying I don't think this is applying to the ticket preview as the ticket preview (mouse hover) shows full HTML.

[craigbrass]

Can I just comment here.

Neal: Was there really such a need to be rude to Jamie? He was only trying to help you as all the people who are active on this forum do...

[Jamie Edwards]

Quote:

Originally Posted by NC Software

It is set to strip tags. However, my post is saying I don't think this is applying to the ticket preview as the ticket preview (mouse hover) shows full HTML.

Hi Neal,

Can you send (in a PM) to me (wrapped in [.code] tags) the contents of the post that is causing this issue so I can do testing?

Also, was the post submitted by e-mail or by form?

[eiden]

Quote:

Originally Posted by craigbrass

Can I just comment here.

Neal: Was there really such a need to be rude to Jamie? He was only trying to help you as all the people who are active on this forum do...

I agree. No need to be rude.

Guess that some people suffer from A.H.S...

[craigbrass]

Well I just get annoyed that people get annoyed at people who are just trying to help on this forum at times when there is no need to.

[NC Software]

Jamie,

I don't have the e-mail, naturally I deleted it as it appeared to be a potential for a thread if just previewing it was causing IE windows to open. You should be able to see the issue clearly by sending yourself a HTML e-mail with images. You'll see that when you hover the mouse over the ticket icon you'll get a full HTML preview with images. I've seen that quite a bit, I don't think that's intended, the preview info should have its tags stripped as well, you may want to log this as a bug.

[Jamie Edwards]

As you have confirmed it was sent via e-mail (in which case tags should be stripped), logged as a bug.

[tony300]

Jamie, this bug has been flagged as "Not a bug / Deferred" http://bugs.kayako.com/index.php?cmd=view&id=212

The admin interface warns that allowing HTML is "not recommended as it can allow malicious code to be executed in staff users web browsers." Can you please find out why this is not considered important enough to fix? It seems to me that this should be a high priority bug.

[Jamie Edwards]

Hi Tony,

It was changed to this status as we were unable to replicate it in 3.11.01. However, if you believe the problem still persists then let me know and I shall reopen the bug for further investigation.

[tony300]

It definitely does happen on 3.11.01, but I have only seen it a few times. I'll let you know when I get another one. Thanks.

[Jamie Edwards]

Hi Tony,

It would also help if you could detail your settings for things such as tag stripping and whether or not the ticket was submitted via e-mail or via the form on your support centre.