Skip Navigation

[Resolved] The Forum

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Tagged: 

This topic contains 14 replies, has 4 voices.

Last updated by julieP 1 year, 6 months ago.

Assigned support staff: Nigel.

Author
Posts
#1579885

I need to discuss a matter of security. At this point in time, I think this would be best dealt with either via private fields or outside the forum. Nigel, I believe you are "Team Leader"? Can you deal with this please and let me know how you wish to correspond? Thank you.

#1579993

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

Thank you for getting in touch.

Currently Nigel is unavailable and won't be until next Tuesday. If this is something that I can assist with please let me know and I will be more than happy to help.

Thanks,
Shane

#1580415

Hi Shane

In that case I'll report the issue and you can decide whether you want to hand it over. Please enable a private field. Thanks

#1580423

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

Here are the private fields for your next response.

Thanks,
Shane

#1582767

Hi Shane

Can you give me a private field without the ones requesting usernames & passwords please?

#1582987

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

Please try again.

#1584307

Hi, Shane has a national holiday today but will return tomorrow to continue assisting you.

#1585351

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+01:00)

Hi Julie

This was caught up in the long weekend for some of the team, myself included, but let me step in here.

Thanks for bringing this to my attention.

I'm raising it with the systems team immediately. I've created an internal ticket and marked it as critical.

In the meantime, do you still have access to the email? Would you mind forwarding it to me at nigel.a@onthegosystems.com as an example?

Also, you say you reported this previously. Do you know when? I can look into what happened at the time.

#1586257

Hi Nigel

I kept the email in case you wanted to see it & have forwarded it (subject line = #1585351).

Yes, I have raised this issue previously but can't remember 100% how I did it. I've looked at my forum support tickets but can't find anything there (although perhaps it was removed??). I doubt I would have submitted it as a feature request so the only other avenue is directly by email. I've searched my emails and found nothing but may have deleted them of course. The only people I've had direct contact with in the past are Amir, Amit, Mohammed, Ana and Beda. I doubt I would have contacted Ana or Beda directly about the issue. Time-wise it would have been in the last 2 years (I recall referring to GDPR then too) and the email would have been sent from the address I used to first register with Toolset (I've changed it since).

I have a feeling BTW that this issue occurs randomly. I say this because the same thing hasn't happened on another ticket I'm currently following (I've supplied the post ID for that one in the forwarded email).

Let me know if you need anything else. In the meantime, stay safe.

#1586259

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+01:00)

Hi Julie

Reviewing the internal tickets just a moment ago I see that it appears to happen when a user adds private information to the text area of the reply, rather than using the fields which are provided for username, password etc., which is why it would only seem to happen sometimes.

I can confirm that was the case with the email you forwarded.

The code for this has already been updated to allow for that eventuality and is currently undergoing testing, so it's not live on our system yet, but should be updated soon to prevent this happening again.

Thanks very much for bringing this to our attention. The update means that thread followers won't see private replies at all.

#1586281

Thanks Nigel. How will I know when the code has gone live?

#1586285

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+01:00)

If you need to know I'll keep an eye on the internal ticket and update you here.

I'll leave this as escalated for now.

#1586963

OK thank you, I appreciate that.

In the meantime, I've now discovered that links in public fields (hidden in the forum) are revealed in the notifications to thread followers. I think this ought to be addressed at the same time? I'm about to forward you another email so you can see what I mean (thread ID in the subject line is #1586741). The links in that thread are download links for duplicator packages. I've not touched them.

#1587055

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+01:00)

Hi Julie

Firstly, the changes regarding private replies have gone into production already after testing, we can consider that fixed.

I have also created a ticket about the hidden links, and discussed it with the same developer, who will fix that problem tomorrow.

I'm not sure if you need another update about that, or whether you are ready to close this.

In any case, thanks very much for bringing this to our attention and for your discretion.

#1588477

Happy to close ticket