server upgraded

You may have noticed that the site is serving a lot faster recently. On Jan 23rd 2015 I migrated the site from my old server to my new server. The old server was an old HP Proliant ML350 with two (2) Intel (R) XEON(TM) 3.4Ghz processors with 2 cores each (2mb cache), 2 GB of DDR2 400mhz ram. The new machine is a virtual which has five (5) Intel(R) Xeon(R) 2.67Ghz processor cores (20mb cache) and 8 GB of DDR3 1333mhz.

Initially I threw more processors and less RAM at it, but after playing around with it for the last few days I've lowered the processors and upped the RAM. So far I'm quite happy with how its worked out. 

osTicket v1.9.5.1 Released!

There is a new version of the 1.9 series, specifically the stable  You can get this version via github or at  It features some improvements/bug fixes, and an important security update.  Here is a list of the changes:


  • Fix file.php to serve files added to system before osTicket v1.9.1 (e02ab9a)
  • Fix file.php to serve files if client panel or system is offline (6bb7843)
  • Fix popover download of inline images (8d3a130)
  • Avoid de-duplicating zero-length files (98caa70)
  • Send new message alert to team members if not assigned to an agent (b7e75b1)
  • Fix import of users to organization not setting the organization (1220238)
  • Fix redactor toolbar showing over the date picker (#1450, thanks @Chefkeks)

Performance and Security

  • Fix XSS vulnerability in client language selection (b38b3ca)


You can read more about it at the github repository.  The XSS vulnerability was disvocered by forum user erickroco and reported in this thread: osTicket 1.9.5 – XSS vulnerabilities reported by OWASP ZAP. It is recommended that you upgrade immediately.

osTicket v1.9.5 Released!

The folks over at have released a new version of the 1.9 series, specifically the stable 1.9.5.  You can get this version via github or at  It features a slew of enhancements, bug fixes, and security updates.  Here is a list of them:


  • Add support for organization vars in templates (%{ticket.user.organization…}) (#1561)
  • Canned responses feature can now be disabled (#1562)
  • Drop link redirection through l.php (#1640)
  • Use unified file download script (#1641). Links can now be shared with external users and accessed without authenticating.
  • Ticket filters support matching and banning based on the Reply-To user information (#1645)


  • Remove custom data when users are deleted (#1492)
  • Fix matching of ticket number in subject (regression in v1.9.4) (#1486)
  • Several minor translatable strings (#1441, #1489, #1560), thanks @Chefkeks
  • Fix invalid UTF-8 chars PDF error for empty thread title (regression in v1.9.4) (#1512)
  • Consider auto response checkbox and department setting for new ticket by staff (#1509)
  • Fix PHP crash if finfo extension is missing (#1437)
  • Fix export of choice field items (#1436)
  • Properly handle alert and auto response flags from API (#1435), thanks @stevepacker
  • Fix current value of choice fields if set to boolean false (#1466)
  • Do not reopen tickets for automated responses (#1529)
  • Properly handle uppercase file extensions in file field configuration (#1549)
  • Fix release of ticket lock when navigating away from ticket view (#1552)
  • Display FAQ article consistently on client portal (#1553)
  • Avoid wrapping password reset URLs on text emails (#1558)
  • Fix field requirement for clients when only required for agents (#1559)
  • Fix language selection for new email template group (#1563)
  • Fix incorrect status of new ticket if opened as closed and assigning to an agent (#1565)
  • Forbid disabling the only active administrator (#1569)
  • Searching for tickets searches to midnight of the end date (#1572), thanks @grintor
  • Fix rejection of tickets by filter, even if a previous matching filter would stop on match (#1644)
  • Fix matching of User / Email Address in ticket filters (#1644)
  • Properly HTML escape thread bodies when quoting (#1637)
  • Use department email for agent alerts (#1555)
  • Skip team assignment alert on new ticket if assigned to an agent (fddb3c7)
  • Use custom form name as the page title when editing (#1646)
  • Fix failed ticket number match in email subject line (2e01010)

Performance and Security

  • Fix possible XSS vulnerability in sortable table view pages (#1639)


You can read more about it at the github repository.  They made maintance releases for the 1.7 and 1.8 series which should fix some of the issues in those.  

Lastly they made an important notice regarding the 1.7 tree on their blog: 
"Notice: osTicket 1.7 series is reaching end of life.  As of March 31st, 2015, we'll no longer maintain 1.7 series. Users are highly encouraged to make plans to upgrade to the latest release or 1.8 series in the coming months."

osTicket 1.9.4 released

Yesterday the folks over at released the latest version of the 1.9 series, specifically the stable 1.9.4.  This version had not only a DPR (Developer Preview Release) and 5 RC (release candidates) before going live.  You can get this version via github or at  It features a slew of enhancements, bug fixes, and security updates.  Here is a list of them:

Major New Features

  • New ticket states (archived, and deleted) (#1094, #1159)
  • Custom ticket statuses (#1159)
  • Custom ticket number formats (#1128)
  • Full text search capabilities (beta)
  • Multiselect for choice fields and custom list selections
  • Phase II Multi-Lingual Support (User Interface) (see and (#1096)
    • Active interface translations of 46 languages currently
    • Popup help tip documentation in all languages
    • Flags displayed on client portal for manual switch of UI language by endusers
    • Automatic detection of enduser and agent language preference as advertised by the browser
    • Improved PDF ticket printing support, including greater support for eastern characters such as Thai, Korean, Chinese, and Japanese
    • Proper support for searching, including breaking words for languages which do not use word breaks, such as Japanese
    • Proper user interface layout for right-to-left languages such as Hebrew, Arabic, and Farsi
    • Right-to-Left support for the HTML text editor, regardless of the viewing user’s current language setting
    • Proper handling of bidirectional text in PDF output and in the ticket view


  • Plugins can have custom configurations (#1156)
  • Upgrade to mPDF to v5.7.3 (#1356)
  • Add support for PDF fonts in language packs (#1356)
  • Advanced search improved to support multiple selections, custom status and flags


  • Fix display of text thread entries with HTML characters (<) (#1360)
  • Fix crash creating new ticket if organization custom data has a selection field (#1361)
  • Fix footer disappearance on PJAX navigation (#1366)
  • Fix User Directory not sortable by user status (#1375)
  • Fix loss of enduser or agent priority selection on new ticket (#1365)
  • Add validation error if setting EndUser username to an email address (#1368)
  • Fix skipped validation of some fields (#1369) (regression from rc4)
  • Fix detection of inline attachments from rich text inputs (#1357)
  • Fix dropping attachments when updating canned responses (#1357)
  • Fix PJAX navigation crash in some browsers (#1378)
  • Fix searching for tickets in the client portal (#1379) (regression from rc4)
  • Fix crash submitting new ticket as agent with validation errors (#1380)
  • Fix display of unanswered tickets in open queue (#1384)
  • Fix incorrect statistics on dashboard page (#1345)
  • Fix sorting by ticket number if using sequential numbers
  • Fix threading if HTML is enabled and QR is disabled (#1197)
  • Export ticket “created” date (#1201)
  • Fix duplicate email where a collaborator would receive a confirmation for his own message (#1235)
  • Fix multi-line display of checkbox descriptions (#1160)
  • Fix API validation failure for custom list selections (#1238)
  • Fix crash adding a new user with a selection field custom data
  • Fix failed user identification from email headers if “References” header is sorted differently be mail client (#1263)
  • Fix deletion of inline images on pages if draft was not saved (#1288)
  • Fix corruption of custom date time fields on client portal if using non US date format (#1320)
  • Fix corruption of email mailbox if improperly encoded as ISO-8859-1 without RFC 2047 charset hint (#1332)
  • Fix occasional MySQL Commands OOS error from ORM (#1334)

Performance and Security

  • Fix possible XSS vulnerability in email template management (#1163)


You can read more about it at their at github.  They additionally released maintance release for the 1.7 and 1.8 series which should fix some of the issues in those.

osTicket 1.9.2 released

Earlier today the folks over at released the latest version of the 1.9 series, specifically the stable 1.9.2.  You can get this version via github or at  It features a slew of enhancements, bug fixes, and security updates.  Here is a list of them:


  • Help topics have super powers (#974)
    • They can be arbitrarily nested
    • They can be manually sorted
    • Admins can select a system default help topic
    • They can inherit the form from a parent
  • Form data entered to custom forms is preserved when switching help topics
  • Update to Redactor 9.2.4 (
  • Using canned responses no longer requires [Append] click (#973)
  • Guests can sign out (#1000)
  • Filter by custom list item properties (#1024)
  • Time selection is based on admin configured time format (#1036)
  • (Optionally) clients can access tickets without clicking email link (#999)
  • Introduction of signals for mail filter plugins (#952)


  • Fix a few glitches on site page management (#986)
  • Fix saving department alert recipients (#985)
  • Fix assignment to account manager regardless of setting (#1013)
  • Fix dialog boxes on some PJAX navigations (#1034)
  • Help topics are properly sorted in FAQ management (#1035)
  • Fix MySQL commands out-of-sync triggered by the ORM (#1012)
  • Clients can follow email links from multiple tickets (#1001)
  • Workaround for PHP variable corruption issue (#917, #969)
  • All other improvements cited in v1.8.3

Performance and Security

  • Fix XSS vulnerability in phone number widget (#1025)
  • Fix several XSS vulnerabilities in client and staff interfaces (#1024, #1025)


You can read more about it at their blog post.  They additionally released maintenance release for the 1.7 and 1.8 series which should fix some of the issues in those.

osTicket 1.9.x – Email Template Variables

This will be the email template variables (tokens) page for 1.9.1+ (until 2.0). Below is the old list from osTicket 1.8.0+ Email Template Variables, I'll be adding and removing from it over time.

osTicket Template Vars

Client Names VARS
first: %{}
last: %{}
lastfirst: %{}
short: %{}
shortformal: %{}
full: %{}
original: %{}
formal: %{}
initials: %{}
legal: %{}

Recipient Vars
name: %{}
first name: %{}
last name: %{}
lastfirst: %{}
short: %{}
shortformal: %{}
full: %{}
original: %{}
formal: %{}
initials: %{}
legal: %{}
recipients: %{ticket.recipients}
User Access link: %{recipient.ticket_link}
Email: %{}

Staff Name VARS
first: %{}
last: %{}
lastfirst: %{}
short: %{}
shortformal: %{}
full: %{}
original: %{}
formal: %{}
initials: %{}
legal: %{}

staff name: %{}
staff first: %{}
staff last: %{}

staff or department signature: %{signature}
Company Name: %{}

Ticket Vars
Ticket ID (internal): %{}
Ticket Number (external): %{ticket.number}
Email: %{}
From: %{}
Phone | Ext: %{}
Priotity: %{ticket.priority}
Subject: %{ticket.subject}
Original ticket body: %{ticket.thread.original}
Submitted: %{ticket.create_date}
Topic: %{}
posters name %{}

Assigned staff and/or team: %{ticket.assigned}
Due Date: %{ticket.due_date}
Date Closed: %{ticket.close_date}

Auth. token used for auto-login: %{ticket.auth_token}
RETIRED Client's ticket view link: %{ticket.client_link} users should upgrade to the token %{recipient.ticket_link}
Staff's ticket view link: %{ticket.staff_link}

OLD Help Topic: %{ticket.topic}
Help Topic: %{}

Department: %{ticket.dept}
Department Name: %{}
Department Manager Name: ${}
Assigned/closing staff: %{ticket.staff}
Assigned/closing team: %{}

Other Variables

Incoming message: ${message} [instead of this user comments for assigned note]
To get the last message use: %{ticket.thread.lastmessage}
Outgoing Response: ${response}
name of responder: %{response.poster}
Assign/transfer comments: %{comments}
Assigned staff/team: %{assignee}
Staff assigning ticket: %{assigner}
osTicket base URL (FQDN): %{url}
Password Reset URL: %{reset_link}

Internal Note VARS
OLD Internal Note: %{note}
Note Poster: %{note.poster}
Note Title: %{note.title}
Note Message" %{note.message}

Custom variables, such as those you add via Manage -> Forms can be accessed using the name that you gave them and the prefix the the built in form that you added them to. So if you added a field called Agency that was added to the built in "Ticket Details" you would access it as, aka:


Data associated with "Contact Information" is available via %{ticket.user.VARIABLE}. Where VARIABLE is the variable name that you assigned the field in the form. Data associated with other forms (such as extra forms added to help topics) is currently not available this way. It's been this way since iirc.


It is important to note that while I have tested many of these, I have not tested all of them. Any labeled as OLD might not work anymore as they appear to have been replaced with new versions. Enjoy!

If you find something wrong with this list please email me at ntozier at osticket dot com and I will update this list when I get a chance. Thanks!

Update 05/22/2015 Forum user Belwi gave me the following to add %{ticket.source} %{response.create_date} %{message.create_date} %{} %{}

Update 6/24/2015 Forth coming version 1.10 has a variable type ahead feature which should trivialize this list.

Update 11/16/2015 Forthcoming version 1.10 has a variable that allows emailing attachments to the Agent.  The variable for this is %{message.files}


osTicket v1.9.x Frequently Asked Questions (FAQ)

Generally speaking many of the previous FAQ answers [for former versions of osTicket] some times still apply to the current version. The line numbers will be wrong, but the information is usually still good. If you do not see an answer to your question please check out the older versions of this FAQ and/or post on the osTicket forums.

Read more “osTicket v1.9.x Frequently Asked Questions (FAQ)”

osTicket 1.9 Released

If you downloaded the original 1.9 release please download it.
There were several quick fixes that were bundled afterwards.

As of today you can now download 1.9 codenamed "Whispers" from the page.

Here is a list of the enhancements, bug fixes, and Security updates:

osTicket 1.9 "Whispers"

Client Login and Registration

Setup flexible user registration policy for your help desk to match your needs. Users can register for accounts via the client portal and can now login with a username and password instead of email and ticket number. We also have a forgot-my-password link and several other new minor adjustments to the user profile.

External Authentication Support

Use third-party SSO to authenticate your users and staff. Initial support include OAuth2 and LDAP (v0.5 of the LDAP plugin is required)

User Directory

Search, view, and manage, even delete! contact information from the users from whom you receive tickets. Staff can also manually register users and even set an initial password. Users can also be imported and exported via CSV data.


Organize your users together into organizations. Organizations can have internal owners ("Account Manager") and external owners ("Primary Contact"). The Account Manager can receive new ticket and new message alerts. Organization Primary Contacts and members can be automatically added to tickets as collaborators.

User and Organization Notes

Quickly view, edit, add and remove pertinent notes on your users and organizations

Form Management

Staff members can now add, delete, and sort forms attached to tickets, users and organizations as well as remove stale data where fields have been retired from active forms.

Custom Properties for Lists

Add properties to your list items and use it in your email templates and pages. For example create an address property to a list of locations. List items can also be disabled now, which causes them to be hidden from selection.

PJAX page loading

For browsers supporting PJAX, navigating around the system will see a performance improvement as javascript and css files are not re-parsed for each page load.

Redactor 9.2

Several new features including a floating editor bar as well better support for non-US keyboards

Upgrading osTicket to current (1.9rc)

So your running osTicket version and you want to upgrade it to current which as of this writing is 1.9-rc1. Yopu’ve come to the right place. A couple notes before we get started. You may have read something on the forums about the pending release of 1.8.2 well due to the number of and the severity of changes in this new version it was decided that the 1.8.2 release number would be skipped and we would jump right to 1.9. This is not a minor release like originally planned, and I have to say that the beta group gave us some fantastic feedback. If you are interested in joining the osTicket AVid Users (Beta group) please go to!forum/beta-testers

Now back to our regularly scheduled article.

Rember that 1.9-rc1 is not a stable release and should never be used on a production server in a production environment. You should really wait for 1.9ST to be released before you upgrade. The images in this article are for going from v to 1.8.2 but this is the same thing as 1.9 as I stated previously the only real difference is the version number.

If you have ever upgraded osTicket in the past your experience this time will not be much different than it has been.

Before you start it is important to mention that if you have installed any mods or performed any custom coding (including changing graphics, translations, etc.) that upgrading will not be as simple as it sounds in this article and you will lose all the modifications that you made. You could very well break your site and at the very least lose some of the functionality that you now enjoy.

  1. Put the site into offline mode.

To do this log into your site and navigate to Admin panel -> Settings -> Helpdesk Status and toggle the radial to “Offline (Disabled)”, scroll down and click “Save Changes”.

note: I personally leave the site open, but navigated back to the Client panel.

2. Make a back up of your database.

There are various ways to do this and I am not going to cover all of them, but my preferred way is to use command line. You can do this simply by issuing a command similar to:

mysqldump -u userName -p databaseName > fileName.sql

note: change userName to your DB username, databaseName to the name of your DB, and fileName to what ever you want to call the back up file.

Another easy way to do backups (on windows) is to use MySQL Admin (deprecated) or MySQL WorkBench.

3. Make a back up of your site.

Once again there are various ways to achieve this. I trust that you know how you want to do it, just make sure that you do it.

NOTE: You should never rely on your ISPs automatic backups,
always make your own backups before upgrading!!!

While you are here, you may want to also make a separate copy of your /include/ost-config.php file. This file contains the database connection information.

4. Download the latest version of OSTicket.  Once 1.9ST is released you will be able to get it from GitHub, but for right now you can only get the Release Candidate from

5. Extract it to your OSTicket directory. Yes, you can and should have it over write existing files.

6. re load your web page. When the page loads you should be looking at the image below. Since this is an upgrade you should be looking at the upgrader. This is important to note since the Upgrader looks different from the Installer.

fig 1 – upgrader
click image to enlarge


You should at this point be able to click the “Start Upgrade Now” button. The next screen should look like this:

fig 2 – upgrader, page 2
click image to enlarge


Unless you have a reason not to, go ahead and click the “Do It Now!” button. This should result in a small rectangle popping up in the middle of your screen like this:

fig 3 – upgrader, actual upgrading
click image to enlarge


Once it has completed you should be looking at the following page:

fig 4 – upgrader, upgrade completed
click image to enlarge


Now if you click on the Settings tab you should be looking at the following:

fig 5 – admin panel, version
click image to enlarge


While you are here if you put the site into Offline mode you should put it back in Online mode (don’t forget to click Save Changes at the bottom of the page).

Congratulations! You’ve upgraded from to 1.9, however you are not quite finished yet.

7. Time for post install clean up.

First go into your OSTicket directory and delete [or rename] the setup folder. It is not needed for a live or production site and should never be left on a publicly accessible server. I recommend that you delete it, but some people like renaming it to keep the files around should they need it again. For the record you should not need it again, and if you did you can always just re-download the distribution archive.


That’s it for the “hard” stuff. I would at this point recommend that you take another back up of your site (both database and files) since you just made major changes to the site.

As a side note, if you are upgrading from 1.8.2 (beta) to 1.9rc you will not see the upgrader because there were no database changes between those two versions.





p.s. the instructions for installing and configuring the LDAP/AD plugin really haven’t changed.

How to add a configuration option to osTicket

So you wrote a mod or a plugin and want to add some configuration options directly to into the osTicket Admin panel. This is a short tutorial on how to add a setting to osTicket, and then have your mod (or plugin) check that setting.

First off realize that modding osTicket can result in the breaking of your site, and you should really perform a backup of both the site and your database prior to making changes.

Next is to decide what you want your setting to be; where you want to put it in the admin panel; and what you want to label it.  Personally I wrote a mod a while back that adds a client side open ticket list and think it would be great to be able to toggle this feature on and off, and control how many open tickets the mod displays.  You do not have to have this mod installed to follow this tutorial, but I figured a real world example might be easier so this tutorial will assume that mod is already installed. To that end I've decided on two settings:

  • "Display Open Tickets to Clients" which will be a check box., and have the help text of " Allow clients to view a safe summary of open tickets on the landing page"
  • "Display # open ticket to Clients:" which will be a text field, and have a help text of " (Limit the number of open tickets to display to clients – default 10)"

I've decided to put both of these settings in Admin panel -> Settings -> Tickets, as the last two options before the "Attachments" section.  So lets start editting with adding these fields there.

Let's open and edit: /include/class.config.php
Scroll down to line 304.
Just after the closing } add:

    function clientDisplayOpen() {
        return $this->get('client_display_open');

    function clientDisplayNum() {
        return $this->get('client_display_num');

This will let us use those functions to get the config variables values later.

Next scroll down to line 903.
After the line that reads:

This will make sure that our fields get updated when we hit save.

Now lets open and edit: /include/staff/
Scroll down to line 138.
Place your cursor after the </tr> and hit enter.
We are going to add a new tr here to display the settings on the page.
            <td>Display Open Tickets to Clients:</td>
                <input type="checkbox" name="client_display_open" <?php
                echo $config['client_display_open']?'checked="checked"':''; ?>>
                Allow clients to view a safe summary of open tickets on the landing page
            <td>Display # open ticket to Clients:</td>
                    if($config['client_display_num'] == '0' || $config['client_display_num'] == null) {
                        $client_display_num = '10';
                    } else {
                        $client_display_num = $config['client_display_num'];
                    } ?>
                <input type="text" name="client_display_num" size=4 value="<?php echo $client_display_num ?>">
                <em>(Limit the number of open tickets to display to clients - default 10)</em>

Let's go over this a little.
$config['client_display_open'] is the variable that holds if our check box is checked.
$config['client_display_num'] is the variable that holds the # of tickets to display.  Additionally it defaults to 10 if its not set, or is set to 0. This is redundant as its also checked in the display_help_topics.php also. 

Note: if you have a LOT of tickets open on a regular basis you may want to consider hard coding in a default for maximum also so that way staff cannot set it to say 500 and have it display 500 open tickets to the client.

Lastly we need to change the display logic a little to determine if we should be displaying the open ticket list.
lets open and edit: /index.php

replace last 9 lines with:
    if($cfg && $cfg->isKnowledgebaseEnabled()){ $displayfaq = '1'; }
    else { $displayfaq = '0'; }
    if ($ost->getConfig()->clientDisplayOpen()) { $displayopen = '1'; }
    else { $displayopen = '0'; }
    if ($displayopen == '1' && $displayfaq == '1') { ?>
        <p>Be sure to browse both our <a href="kb/index.php">Frequently Asked Questions (FAQs)</a>, and the open tickets below before opening a ticket.  Thank you.
        <div id="openticks"><?php include('display_open_topics.php'); ?></div>
    <?php }
    else {
        if($displayfaq == '1') { ?>
            <p>Be sure to browse our <a href="kb/index.php">Frequently Asked Questions (FAQs)</a> before opening a ticket.  Thank you.
        <?php }
        if($displayopen == '1') { ?>
            <div id="openticks"><?php include('display_open_topics.php'); ?></div>
        <?php }   
    } ?></div><?php require(CLIENTINC_DIR.''); ?>

What this does is based on how displayfaq and displayopen are set it shows different things. The important part here if you're going to do this for something else is how we reference the setting specifically: $ost->getConfig()->clientDisplayOpen().

Lastly to be complete we need to edit the display_open_topics.php.  This file is not part of the standard osTicket distribution (yet?) and is included in the mod archive I mentioned earlier.  Currently its hard coded to display 10 records.  Locate lines 21-22 which should look like this:

// The maximum amount of open tickets that you want to display.
$limit = '10';

Replace them with the following:
// The maximum amount of open tickets that you want to display.
$limit = $ost->getConfig()->clientDisplayNum();

// if limit is 0 or null set to default [10].
if($limit == '0' || $limit == null) {
    $limit ='10';

What this does is check for the setting in the database and if it doesn't exist or is 0 for some reason sets the number to 10.  This is a little redundant because we also check to make sure that if its 0 or null that it gets set to 10 in /include/staff/

Now if you log into your osTicket installation and go to Admin panel -> Settings -> Settings -> Tickets you should see something like this:
new config options