Securing access to tickets..

WIW · Post by **WIW** » Sat Mar 10, 2007 9:11 am

Script URL: (keeping private)
Version of script: 0.93
Hosting company: Dreamhost.com
URL of phpinfo.php: (keeping private)
URL of session_test.php: (Don't know, is this available?)
What terms did you try when SEARCHING for a solution: various ones for securing helpdesk...

Write your message below:

Is there any way besides .htaccess to securing access to one's submitted tickets? What I'm doing is, I had made a second form and added new columns in the database for gathering specific informations from the user. This works, thanks for the easy script by the way!

Example: host login informations, ftp login information, passwords especially, and other various informations. Now, I had submitted a test ticket, got the ticket tracking url and all. However, the downfall is, I could open this ticket up in another browser, and it's viewable by anyone that I give the url to...

Now, I know this ticket tracking can't be accessed on the fly, and only when the person that submitted the ticket gives out the access to others. Such as: friends, family, and other users of the net. I am planning on running a site where me and my team of installers are going to use this information, which will be found via the admin control panel.

However, if someone on my install team holds a grudge, or becomes angry at me, they could possibly go through all of the tickets containing those important informations as I mentioned above.. and post straight ticket tracking links on the web. Giving mass users of the web access to my customer's vital informations.

Could there possibly be an implementation where these ticket tracking urls and other accessible posted things by users be protected or viewable ONLY by those people? Maybe like some little SSL secure server script be added into the next release, or as an add-on?

I was thinking along the lines of: If you posted something, and you gave the ticket tracking url to a buddy, the buddy wouldn't be able to view it because the buddy's IP address didn't match the one of the submitter?

Maybe allow access to the submitted tickets, by IP address or something? Or even some small Secure script implementation? What do you all think? Any suggestions, opinions, or tips? Thanks..

/Please keep in mind though, that I'm NOT a PRO at adding such securing type things. I'm not great with .htaccess and SSL. Step by step tips would be awesome! Thanks..

WIW

Post by **Klemen** » Sat Mar 10, 2007 3:36 pm

Well the best thing would be to force users to register and edit Hesk to only show ticket.php when the correct username/password combination is entered. But this would take a lot of editing and is out of the scope of my support here.

Not sure exactly how your system works, but a simple solution could be to just not show any sensitive info in ticket.php. For example show FTP login info only in admin_ticket.php, but not in ticket.php (either remove it completely or change actual info with *****).

WIW · Post by **WIW** » Sat Mar 10, 2007 4:58 pm

Klemen Stirn wrote:Well the best thing would be to force users to register and edit Hesk to only show ticket.php when the correct username/password combination is entered. But this would take a lot of editing and is out of the scope of my support here.

Thanks for your reply.

I've been hearing about this "forcing users to register" bit, but frankly I'm at a loss on how-to do this? Being that there is no register link, file and so forth? The only page is for the /admin.php login? How can I force users to register? Oh! You've already said this would take a lot of editing.. sorry about that..

Klemen Stirn wrote: Not sure exactly how your system works, but a simple solution could be to just not show any sensitive info in ticket.php. For example show FTP login info only in admin_ticket.php, but not in ticket.php (either remove it completely or change actual info with *****).

My system works just the same as the original way. However, I've just made a second index.php file, second link on index.php file for links to submit to the two locations, two submit_ticket.php files, added my numerous custom fields, and added more database columns for that information to be stored in the database, made the two submit_ticket files to submit to same database, just one is taking more info then the first, and then to be regurgitated in ticket.php.

So basically it's the same setup, just more informations are being submitted and then exposed in ticket.php. You're suggestion above there is brilliant though! I didn't even think of that! I'll give that a go once! Another thing I was thinking of doing... is..

We *could* just make up TWO helpdesks. I can secure the ONE helpdesk via dreamhost.com's control panel, and even have the ability to make a group that will be allowed to access that ONE helpdesk for installs/upgrades and so forth.

The second helpdesk could be for the normal folks, submitting general inquires, questions, problems, issues or whatever. This can be accessed by the public 24-7, paid up or not. BOTH helpdesks could use the same database for storing informations. Actually, I think that would be best. So we're not having to login to two different /admin.php control panels.

However, the users will have to go to each helpdesk specifically. Here below is my thought/plan of action:

HelpDesk #1 - General inquires, support issues, questions and issues. Open 24-7 for the public, customer or not. They can access freely.

HelpDesk #2 - For install/upgrade requests ONLY! It WILL be FULL BLOWN secured. Only those that have paid us money and what not are allowed to access this one. The link and login informations will be provided to them ONLY AFTER payment was made. Also, any and all customers which had paid before, will be able to have access to it.

I'll try one of the above methods then. Thanks so much for your suggestions and thoughts..

WIW

Post by **Klemen** » Sun Mar 11, 2007 11:19 am

Hello WIW,

The "force users to register" isn't available in hesk, it would require coding it from zero. And that's a lot of work.

I'm not sure you understood my **** idea correctly. Say you have only one copy of Hesk installed, and anyone (who knows ticket ID) can open tickets in their browser.

Now you want to prevent people from being able to see FTP login info, usernames, passwords, ... etc in their browser just by typing in the url of hesk/ticket.php?track=(ID) , right? Well my idea was to simply block showing of any sensitive information in ticket.php (which is publicly accessible). It can be as simple as replacing values of the extra fields (passwords, usernames, ...) with **** or not show them in ticket.php at all, so not even the person who posted this info can see it (or anyone else who knows Tracking ID for that matter).

Doing that the only way to access the sensitive information would be from within the admin panel (admin_ticket.php) which is password protected.

So you can still collect the sensitive information, but just don't display it in ticket.php, only in admin_ticket.php

Makes sense?

WIW · Post by **WIW** » Sun Mar 11, 2007 12:48 pm

Oh yeah, I understood what you were saying.

I already went ahead and tested that on the localhost. What worked for me was this in ticket.php:

Changed This:

Code: Select all

<tr>
	<td class="white"><?php echo $hesklang['host']; ?>:</td>
	<td class="white"><?php echo $ticket['host']; ?></td>
	</tr>

To this (for all vital ones):

Code: Select all

<tr>
	<td class="white"><?php echo $hesklang['host']; ?>:</td>
	<td class="white"><?php echo '*****'; ?></td>
	</tr>

This will display the vital informations as " ****** " while viewing the ticket, and even while viewing source code of the ticket page. However, I might just go the route of securing the whole directory. Then, make a group or two up with username and passwords and give the url, user, and pass out to only those that paid for services...

I'm pretty sure this is what you were talking about doing above right? LOL!

WIW

Post by **Klemen** » Sun Mar 11, 2007 3:02 pm

Oh, ok, you did understand me

Just a note, you might skip echo when printing **** and simply place it in the code:

Code: Select all

<td class="white">*****</td>

WIW · Post by **WIW** » Sun Mar 11, 2007 3:50 pm

Klemen Stirn wrote:Oh, ok, you did understand me

Of course I did...

You gotta keep in mind, not everyone that comes here for support is a total dumbass...lmao!

/Me thinks someone needs a spanking and put on time out.. Just kidding of course.. lol!

Klemen Stirn wrote: Just a note, you might skip echo when printing **** and simply place it in the code:
Code: Select all
<td class="white">*****</td>

Oh nice! Yeah, that would be better wouldn't it? LOL! You and your software(s) are awesome Klemen.

Okay, I think it's time to get back to work now.. tata for now folks!

WIW

Post by **Klemen** » Sun Mar 11, 2007 11:16 pm

WIW wrote: Of course I did... You gotta keep in mind, not everyone that comes here for support is a total dumbass...lmao!

Never though you are one, but I kind of got used to (and tired of

) explaining same things over and over again

WIW · Post by **WIW** » Mon Mar 12, 2007 8:23 am

Haha, I know how that is though sigh... For those "special times" I usually just copy/pasted into a text file all the answers for repeated questions in a support forum..

That way, at least it helps cut down on having to retype same crap over and over again.

It's not much work that way, just a quick copy/paste of something and hit submit...Oh yes, the joys of support forums... LoL!

WIW