CiviCRM Community Forums (archive)

I've just opened a couple of tickets against 2.1 (observed on SVN r17296) and am posting here in the hope that other folks can confirm whether they see the same issues, or add any information.

1. Tokens in embedded URLs (eg {contact.checksum}) do not get handled unless Track Clickthroughs is enabled

IMO, using checksums combined with Track Clickthroughs is a security issue.

If you use Track Clickthroughs to send out an email to contacts which contains a checksum, then any contact can access other mailed contacts' checksums by altering the qid value they receive. Therefore checksum URLs should not be used in combination with Track Clickthroughs.

However, Track Clickthroughs appears to be required for tokens in embedded URLs to function at all.

2. URLs containing tokens with Track Clickthroughs are incorrectly stored in the DB

It seems people using Drupal with Clean URLs disabled may not notice this issue , because Drupal's 404 handling in that case means that they end up on the right page anyway. However I believe this will affect standalone and Joomla installations as well as Drupal with Clean URLs enabled. Would appreciate confirmation from anyone who can test this on those systems.