WHMCS

Hi,

I have tested this module but quickly had to remove it after finding a big security issue (for us anyway) as any client in WHMCS can view tickets not belonging to them simply by knowing the email address of someone who has contacted us.

1. Create a client profile in WHMCS
2. Login to that WHMCS profile and change the main email address to the same email address used by the sender of a helpdesk ticket
3. Click to view ticket list and see tickets sent by that email address including any sensitive information, passwords, etc.

I know this won't work if the second email address is already a profile in WHMCS due to the protection built into WHMCS. However, it will work for any email address used in any ticket in the helpdesk that doesn't happen to belong to a WHMCS profile (sales tickets where they didn't signup, deleted profiles, contacts, etc).

This could easily be fixed if WHMCS had an email verification when a client changes their email address but they don't seem interested in adding it (I've asked them already) so there we go.

My suggested method of fixing would involve a bit of a change to the logic of the module but would fix this issue and also allow WHMCS clients to change their email address without losing their past tickets...

A new database table could be added for this integration which links WHMCS client ID to ticket ID so when a ticket is submitted by user id 1111 and the ticket ID is 2222, these two ID's would be added as a record in the database table. When a WHMCS client clicks to view their ticket list it will refer to this table to get all of their past ticket ID's and only pull these from the Kayako API (in this example see that WHMCS id 1111 only has ticket ID 2222 so only grab this one).