21 Jul 2022

Bug fixes

[PRESIDECMS-2361] Email link tracking links: further 404 issues

Further note

The PRESIDECMS-2349 ticket addressed a security issue where an attacker could craft a URL using your websites domain that would redirect to an address of their choosing. This could be used in phishing attempts where your website domain's reputation would be used as trusted link. However, in addressing this issue, we inadvertently introduced a number of bugs with click tracking that meant various forms of link in email marketing emails stopped working, resulting in a 404 not found page.


Going forward, it is recommended to set the emailLinkShortener feature flag in your application's Config.cfc file, i.e.

settings.features.emailLinkShortener.enabled = true;

Links in this format are not vulnerable to attack and allows you to use the strict link checking that we have put in place without any potential side effects.

For emails already sent however, the changes in this hotfix add strict checking of the links to ensure that they have come from emails that have been sent by the system. Due to the many different ways in which links can be generated and end up in emails, this approach is not 100% bullet proof and could lead to some links not working. In this case, we have added a new setting under Email center -> Settings, named Disable valid link checking under a Click tracking section. Check this setting to disable the strict link checking.