diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index 70c57e15bf233c11099eca2350633565141be953..9ca601e33020d9c0f3ea1e669bbc4d405217df5e 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -15,6 +15,9 @@ class DynamicFormsAjaxAPI extends AjaxController {
     }
 
     function getFormsForHelpTopic($topic_id, $client=false) {
+        if (!$_SERVER['HTTP_REFERER'])
+            Http::response(403, 'Forbidden.');
+
         if (!($topic = Topic::lookup($topic_id)))
             Http::response(404, 'No such help topic');
 
@@ -381,9 +384,15 @@ class DynamicFormsAjaxAPI extends AjaxController {
     }
 
     function attach() {
+        global $thisstaff;
+
+        $config = DynamicFormField::objects()
+            ->filter(array('type__contains'=>'thread'))
+            ->first()->getConfiguration();
         $field = new FileUploadField();
+        $field->_config = $config;
         return JsonDataEncoder::encode(
-            array('id'=>$field->ajaxUpload())
+            array('id'=>$field->ajaxUpload($thisstaff ? true : false))
         );
     }
 
diff --git a/include/class.forms.php b/include/class.forms.php
index c097dd995ab0f8e48336215bb6acf578e0dfb440..062bcaea5a173b5b0f3cca56a8825bed5d281ef3 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -2837,7 +2837,7 @@ class FileUploadField extends FormField {
 
         // Check MIME type - file ext. shouldn't be solely trusted.
         if ($type && $config['__mimetypes']
-                && in_array($type, $config['__mimetypes']))
+                && in_array($type, $config['__mimetypes'], true))
             return true;
 
         // Return true if all file types are allowed (.*)
diff --git a/include/class.http.php b/include/class.http.php
index 2616121c24b130f365f58b2b10f1d1810be118c8..632a80b03b230fe8a941be470406cd79e871c8b8 100644
--- a/include/class.http.php
+++ b/include/class.http.php
@@ -106,6 +106,9 @@ class Http {
     }
 
     function download($filename, $type, $data=null, $disposition='attachment') {
+        if (strpos($type, 'image/') !== 0 || preg_match('/image\/.*\+.*/', $type))
+          $disposition='attachment';
+
         header('Pragma: private');
         header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
         header('Cache-Control: private', false);
diff --git a/include/class.misc.php b/include/class.misc.php
index b5ce887053eba3be836dbc976aa23447c2b8ca80..57c18a8df5f0456bd8cce201c7c003ae52fdcee4 100644
--- a/include/class.misc.php
+++ b/include/class.misc.php
@@ -52,12 +52,14 @@ class Misc {
     }
 
     /* Helper used to generate ticket IDs */
-    function randNumber($len=6,$start=false,$end=false) {
-
-        $start=(!$len && $start)?$start:str_pad(1,$len,"0",STR_PAD_RIGHT);
-        $end=(!$len && $end)?$end:str_pad(9,$len,"9",STR_PAD_RIGHT);
+    function randNumber($len=6) {
+        $number = '';
+        for ($i=0; $i<$len; $i++) {
+            $min = ($i == 0) ? 1 : 0;
+            $number .= mt_rand($min, 9);
+        }
 
-        return mt_rand($start,$end);
+        return (int) $number;
     }
 
     /* misc date helpers...this will go away once we move to php 5 */
diff --git a/include/class.ostsession.php b/include/class.ostsession.php
index 51f8bd2fc5e934dd2b67e95518999959fdbedb30..2b9827b68a330f309e79b493320044a2a88536f7 100644
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -53,7 +53,7 @@ class osTicketSession {
             list($domain) = explode(':', $_SERVER['HTTP_HOST']);
 
         session_set_cookie_params($ttl, ROOT_PATH, $domain,
-            osTicket::is_https());
+            osTicket::is_https(), true);
 
         if (!defined('SESSION_BACKEND'))
             define('SESSION_BACKEND', 'db');
diff --git a/include/staff/directory.inc.php b/include/staff/directory.inc.php
index 9eb4926dd6825ace920ad39536e8521ae422102f..a604acc184eccf823766b96646f932eed72d5375 100644
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -5,6 +5,10 @@ $qs = array();
 $agents = Staff::objects()
     ->select_related('dept');
 
+// Sanitize 'order' param To Escape XSS
+if ($_REQUEST['order'])
+    $_REQUEST['order'] = Format::sanitize($_REQUEST['order']);
+
 if($_REQUEST['q']) {
     $searchTerm=$_REQUEST['q'];
     if($searchTerm){
diff --git a/include/staff/users.inc.php b/include/staff/users.inc.php
index 5d35e3f277a50c1d6dfabaabe2005cbeb1631cb6..04c292a0bbf5fbc66b47f99564eb94f1fae8abdc 100644
--- a/include/staff/users.inc.php
+++ b/include/staff/users.inc.php
@@ -312,6 +312,11 @@ $(function() {
         goBaby($(this).attr('href').substr(1));
         return false;
     });
+
+    // Remove CSRF Token From GET Request
+    document.querySelector("form[action='users.php']").onsubmit = function() {
+        document.getElementsByName("__CSRFToken__")[0].remove();
+    };
 });
 </script>
 
diff --git a/profile.php b/profile.php
index 47c100aef5fe46f44c1072e0248bc47058f9f047..db501ced39718803bc83db75139159b9f3a82915 100644
--- a/profile.php
+++ b/profile.php
@@ -19,6 +19,12 @@
 require 'secure.inc.php';
 
 require_once 'class.user.php';
+
+// Check if User is Guest. If so, redirect them back to ticket page to
+// prevent Account Takeover.
+if ($thisclient->isGuest())
+    Http::redirect('tickets.php');
+
 $user = User::lookup($thisclient->getId());
 
 if ($user && $_POST) {