Hi
I've just noticed, that having web form defined as:
http://my-domain-here.com/?source=diale ... _name--B-- --A--last_name--B--&country=UA&city=--A--city--B--&state=--A--province--B--&full_address=--A--address1--B--&zip=--A--postal_code--B--
Results the URL, that has parameters set above and ALL my campaign data including login password, phone login password, different IDs, all lead fields (even duplicating those, that are set in my initial form url) and many other stuff, that should NOT be sent to any 3rd party.
I've used both _blank and vdcwebform (default weird setting) values for web form target, however it does not change anything.
So I'm having 2 questions:
1. Who ever got the idea of passing EVERYTHING without asking me? This is a HUGE hole in security (of course if we can tell words security and vicidial together).
2. How can it be fixed?
Vicibox setup VERSION: 2.8-403a BUILD: 130510-1350
Web form params issue
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
4 posts
• Page 1 of 1
Web form params issue
by PierreDeux » Mon Jul 01, 2013 12:49 pm
- PierreDeux
- Posts: 58
- Joined: Tue Jul 20, 2010 8:18 am
Re: Web form params issue
by bobchaos » Mon Jul 01, 2013 1:04 pm
I'm not sure how you see an issue in this... Sounds like a feature to me! Perhaps I don't understand what you mean (screenshots of the results might help!) but I see you URL has variables in it that represent Vicidial fields. The point of this is to allow you to transfer parameters to remote systems so they can execute searchs and things like that. A very common scenario is integration with a web based CRM. You send your search parameters in the URL (using GET method) so the CRM returns the client's account immediately instead of having the agent run a search.
To remove your data from the url, just remove all the variables (identified by "--A--parameter--B--") from the URL, or at least those that aren't required by the remote system to perform whatever it's supposed to do.
To remove your data from the url, just remove all the variables (identified by "--A--parameter--B--") from the URL, or at least those that aren't required by the remote system to perform whatever it's supposed to do.
- bobchaos
- Posts: 171
- Joined: Fri Jan 06, 2012 12:46 pm
Re: Web form params issue
by PierreDeux » Mon Jul 01, 2013 3:57 pm
Hi,
I mean that in addition to those fields, that I defined in my web form settings vicidial is passing ALL FIELDS that it can pass, so I should have a web form url like this:
http://my-domain-here.com/?source=diale ... _name=John Smith&country=USA&city=NY&state=NY&full_address=122 some street&zip=12345
I have url:
http://my-domain-here.com/?source=diale ... _name=John Smith&country=USA&city=NY&state=NY&full_address=122 some street&zip=12345&lead_id=778&vendor_id=39176&list_id=100&gmt_offset_now=3.00&phone_code=1&phone_number=1234567&title=&first_name=John&middle_initial=&last_name=Smith&address1=&address2=&address3=&city=NY&state=&province=&postal_code=&country_code=&gender=U&date_of_birth=0000-00-00&alt_phone=&email=&security_phrase=&comments=some comments&user=operator3&pass=PASS_HERE&campaign=INFO&phone_login=2003&original_phone_login=2003&phone_pass=PASS_HERE&fronter=VDAD&closer=operator3&group=INFO&channel_group=INFO&SQLdate=2013-07-01+204206&epoch=1372700527&uniqueid=1372700471.4754&customer_zap_channel=IAX2/ASTloop-12536&customer_server_ip=MY_IP_HERE&server_ip=MY_IP_HERE&SIPexten=2003&session_id=8600053&phone=933759735&parked_by=778&dispo=&dialed_number=NUMBER_HERE&dialed_label=MAIN&source_id=&rank=0&owner=&camp_script=&in_script=&script_width=1045&script_height=438&fullname=Operator+3&recording_filename=20130701-204201_933759735&recording_id=649&user_custom_one=&user_custom_two=&user_custom_three=&user_custom_four=&user_custom_five=&preset_number_a=&preset_number_b=&preset_number_c=&preset_number_d=&preset_number_e=&preset_dtmf_a=&preset_dtmf_b=&did_id=&did_extension=&did_pattern=&did_description=&closecallid=147&xfercallid=67&agent_log_id=911&entry_list_id=100&call_id=Y7012141110000000778&user_group=OD&web_vars=&session_name=1372679187_200314178774
The example above is a real one I got, just replaced passwords/phones/names.
I mean that in addition to those fields, that I defined in my web form settings vicidial is passing ALL FIELDS that it can pass, so I should have a web form url like this:
http://my-domain-here.com/?source=diale ... _name=John Smith&country=USA&city=NY&state=NY&full_address=122 some street&zip=12345
I have url:
http://my-domain-here.com/?source=diale ... _name=John Smith&country=USA&city=NY&state=NY&full_address=122 some street&zip=12345&lead_id=778&vendor_id=39176&list_id=100&gmt_offset_now=3.00&phone_code=1&phone_number=1234567&title=&first_name=John&middle_initial=&last_name=Smith&address1=&address2=&address3=&city=NY&state=&province=&postal_code=&country_code=&gender=U&date_of_birth=0000-00-00&alt_phone=&email=&security_phrase=&comments=some comments&user=operator3&pass=PASS_HERE&campaign=INFO&phone_login=2003&original_phone_login=2003&phone_pass=PASS_HERE&fronter=VDAD&closer=operator3&group=INFO&channel_group=INFO&SQLdate=2013-07-01+204206&epoch=1372700527&uniqueid=1372700471.4754&customer_zap_channel=IAX2/ASTloop-12536&customer_server_ip=MY_IP_HERE&server_ip=MY_IP_HERE&SIPexten=2003&session_id=8600053&phone=933759735&parked_by=778&dispo=&dialed_number=NUMBER_HERE&dialed_label=MAIN&source_id=&rank=0&owner=&camp_script=&in_script=&script_width=1045&script_height=438&fullname=Operator+3&recording_filename=20130701-204201_933759735&recording_id=649&user_custom_one=&user_custom_two=&user_custom_three=&user_custom_four=&user_custom_five=&preset_number_a=&preset_number_b=&preset_number_c=&preset_number_d=&preset_number_e=&preset_dtmf_a=&preset_dtmf_b=&did_id=&did_extension=&did_pattern=&did_description=&closecallid=147&xfercallid=67&agent_log_id=911&entry_list_id=100&call_id=Y7012141110000000778&user_group=OD&web_vars=&session_name=1372679187_200314178774
The example above is a real one I got, just replaced passwords/phones/names.
- PierreDeux
- Posts: 58
- Joined: Tue Jul 20, 2010 8:18 am
Re: Web form params issue
by williamconley » Mon Jul 01, 2013 4:43 pm
Web Form - This is where you can set the custom web page that will be opened when the user clicks on the WEB FORM button. To customize the query string after the web form, simply begin the web form with VAR and then the URL that you want to use, replacing the variables with the variable names that you want to use --A--phone_number--B-- just like in the SCRIPTS tab section. If you want to use custom fields in a web form address, you need to add &CF_uses_custom_fields=Y as part of your URL.
not
instead
not
- Code: Select all
http://my-domain-here.com/?source=diale ... _name=John Smith&country=USA&city=NY&state=NY&full_address=122 some street&zip=12345
instead
- Code: Select all
VARhttp://my-domain-here.com/?source=diale ... _name=John Smith&country=USA&city=NY&state=NY&full_address=122 some street&zip=12345
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
- williamconley
- Posts: 20019
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: Majestic-12 [Bot] and 69 guests