1. Welcome to the feedback forum. Here's some tips for giving your suggestions the best shot:
    • Search before posting: See if someone else has already posted your suggestion. If you add your support to an existing, you're more likely to bubble up the request.
    • Keep one suggestion to one thread: Try not to club lots of different suggestions together in one thread. Otherwise, people will get confused about what they're voting for and we might miss your feedback.
  2. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  3. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Completed Licensed domains information exposure

Discussion in 'Kayako product feedback and suggestions' started by bear, Jul 9, 2016.

  1. bear

    bear Kayako Guru

    I was looking at something in Google yesterday, and saw they had a link to my site that was incorrect under my company name. For whatever reason, they'd found and linked to "https://FTP.mydomain.com/desk", clearly not a normal link. Cpanel accounts are created with ftp.domain.com pointing to the main IP by default, so it still tries to load it. Seeing as my SSL doesn't cover "ftp" as a subdomain (why would it?) it gets a warning on visiting, as it should.
    Here's where the fun begins.
    Take the "s" off https and load that link, and Kayako now loads a red warning box at the top to complain the installation isn't licensed for that URL, and proceeds to list all the domains it *is* licensed for, thus exposing all my licensed domains to anyone that does so. I had to edit a core file to remove the variable that calls that, since it's no one's business but the owner.

    I know Kayako is now moving off to a different way of doing things, but thanks for exposing this information all these years. Security 101 dictates the rule of not showing sensitive info to underprivileged users. Hopefully you can learn from that.
     
    clive.gardner likes this.
  2. Jamie Edwards

    Jamie Edwards Staff Member

    Hi bear

    Sorry you had those domain names disclosed. I guess the circumstances in which this could occur are rare, since it is the first time we've had it reported to us. We'll get it fixed!
     
  3. jcarrasquillopr

    jcarrasquillopr New Member

    In which version will be fixed?

    On the non hosted only I have seen a lot of reported request that are now only part of the hosted version only.
     
  4. bear

    bear Kayako Guru

    Yes, you've been left behind, as have all download customers.
    Look in upload\__swift\library\class.SWIFT.php for "$_allowedDomains". That's what makes that show. If you edit that carefully you can remove the revealing info.
     
  5. Jamie Edwards

    Jamie Edwards Staff Member

    In Kayako 4.75 :)
     
  6. bear

    bear Kayako Guru

    I stand corrected, with apologies to Kayako. Thank you for correcting this.
     
  7. Jamie Edwards

    Jamie Edwards Staff Member

    Hi folks

    This has been fixed in Kayako 4.75, released a few days ago - should the rare circumstances in which this error could occur does occur, your list of licensed domain names won't be included in that error message. Sorry for any trouble this caused @bear.
     

Share This Page