This particular held desk software contains all of the functionality that you'd expect help desk software to have at a very small fraction of the price being charged for most other help desk software. The site offering it for sale had it written to use themselves and were making back some of what it had cost them by offering it for others to use - hence the cheap price.
The first thing that I noticed when I started looking at the software is that it generates HTML 3.2 code that has officially been obsolete since 1997 and which has in practical terms been obsolete since the death of Netscape 4 circa 2005. This isn't all that surprising though given that over 90% of pages on the web are still being written that way today and even where sites are trying to get rid of such code that process is often still incomplete. Anyway the HTML works in the various browsers even though it isn't the most appropriate HTML for the 21st Century.
Installing the script was easy and I only had one issue with configuring it the way I wanted. One option the script contained allows the administrator userid to be changed. Unfortunately if you change the administrator userid the script no longer supports allowing the administrator to login. I tracked this problem down to one spot in the code where the administrator login is hard coded rather than looking it up in the database. Patching that code to work with my selected login was trivial and got the script working again. Fixing the script properly so it did the lookup from the database instead of having it hard coded could wait until later.
I found no other problems while setting up the script the way I wanted and so implemented it live. At this point I had not had any reason to test the support staff functionality or to test the ticketing process - those were the main purpose of the script and I had no reason to believe that they would have any problems -or that if they did such problems would be trivial.
Some time later a glitch in a different script on one of my sites led to the hosting provider running a security scan of all the files on my hosting account. This scan identified two of the files in the Help Desk script as containing malware and it stripped the iframe tag containi9ng the malware from the bottom of those two pages. I only know what change it made because I proceeded to compare the scripts on the site with the copy on my own computer where I had uploaded the files from. I got additional confirmation that the tags were linking to malware when I tried to run a search of the copy of the script on my computer to confirm that there were no further references to that malware. The antivirus software on my computer blocked the search from running as it identified the address being searched for as malware.
With the malware removed from my live site the only concern that I had with this was that the malware was present in the original download file and so the script owner needed to be notified that the copy of the script they were distributing had been compromised. I did this by going to the help desk belonging to the script owner and entered the details there of the files infected and a copy of the code that they were infected with.
Their copy of the script then proceeded to send me an email that was itself infected with the malware.
It was at this point that I realised that there were more serious problems with the script than I had previously believed and immediately deleted the live copy of the script from my hosting. The links to that script would be broken until after I either remove them or install a more secure version of the help desk script but at least no one is being put at risk via an insecure script on my site.
A closer look at some of the code in the script identified that the few issues that I had encountered so far are a small fraction of the total issues that the script has. What little validation that the script actually contains is for the most part not being done in the most appropriate way and as I had already determined, some fields were not being validated at all and could be used quite easily to inject code (as I had accidentally injected the malware code into the acknowledgement email). I wouldn't be uploading that help desk script again until it had undergone a major rewrite to add in all the missing validation (proper validation can account for as much as 60% of a typical script).
The last two things that I did were to notify the owners that their script has major problems and that they should consider doing as I have done and take it offline until they get it fixed and secondly to block any emails from their site that their script generates and sends to the email address I used to raise the support ticket. They didn't actually provide any way to contact them other than through their bug ridden script and so I provided a different email address in the message itself for them to use to contact me. It remains to be seen how long it takes them to get the script rewritten to patch all the security holes (I will not be giving priority to doing so just for the copy on my site but would give the task a high priority if they ask me to fix it for them). One positive is that they are actioning my report in so far as patching the script to fix the specific security hole that I identified. Somehow I don't think that fixing all of the other antiquated and poor validation in the script is going to happen in the foreseeable future though.
So what should you do? Well if you haven't purchased this script then don't. With all the security issues the script is worthless. If you already have a copy of the script then do as I have done and delete it until such time as the security issues are fixed. Unfortunately the owners don't tell you when the security issues are fixed so unless you constantly monitor their site for new versions you will never know if they have fixed the script.