Feature Requests
Share ideas, discuss and vote on requests from other users in community
This object is in archive! 


Anthony Molina shared this idea 6 years ago
Under Consideration

It seems that the WHMCS vulnerabilities lie within its ticketing system. If Automated responses did not occur for non registered clients half of the issue would be eliminated.

Example, i check my email and get a stupid code in my ticket system from an unknown user. I delete it and block it and get rid of the dick that sent it. Hacker Gone. Current system, he sends a code, whmcs responds with my passwords??? Sounds great...

This would also alert us of the tricks hackers would be using and attempting to crack us with..

1) WHMCS does not allow non registered users to submit a ticket.

2) general enquiries / sales enquiries can be dealt with in tradition ways, send me an email ...

3) Once person becomes a paying / verified/ authenticated user, he gets automated ticketing with normal automated responses etc. This also creates a Priority ticketing system...

4) OR , disable automated ticket responses to non registered / Authenticated users

Comments (3)


Hi Anthony, Non-registered users submitting tickets does not pose any direct threat. You may well get people trying to submit malicious code into support tickets but none of it should execute. If you've found something that does, then please get in touch with our support team.


Hi Matt, i agree, Non-Registered users Submitting tickets is not a direct threat. However if anyone is going to attempt to crack and get into the system chances are it will be a new Non-Registered user as opposed to a authenticated, registered and known customer. A rogue user or ticket creator with a malicious code is the one that will get in. I don't know what the answer is but I'm trying to stop the source. If someone is trying to port scan my system i put in a firewall, they no longer see my system and can no longer attempt passwords, in WHMCS we are open for attempts constantly. Not only that, if you gat a ticket with malicious code in your system, WHMCS passwords are handed over on a gold platter. I don't feel safe at all,How can that be?? A system which replies with the passwords? My system has been hacked, i have had strange codes in my ticket system, there are so many sites which state how to hack WHMCS, so many WHMCS updates to combat vulnerabilities, ive had to update my system with so many updates its crazy. Im happy to turn off the ticket system, if someone wants pre sales help they can ring, or send an email. They can put all the malicious crap in that email they want, but they wont get my passwords in the reply. Thats a sure thing.. ... Really , i just want it to stop. Im playing cat and mouse and had enough. I dont know what to say.



Would ticking the "Clients Only" option in the support department configuration meet your needs? This would prevent unregistered users from submitting a ticket to a given department, so if you did that for every department, no tickets could be submitted to any department by unauthenticated users.