View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0026399||mantisbt||security||public||2019-11-26 21:39||2019-12-09 15:04|
|Summary||0026399: Username shown in URL if password rejected|
If a user tries and fails to log in, the username they entered will appear as part of the URL's HTTP GET parameters, e.g.:
This could result in usernames being inadvertently saved to server and/or proxy logs, or leaked in various other ways.
|Steps To Reproduce|
|Tags||No tags attached.|
Considering that usernames in MantisBT are pretty much public information as they are displayed all over the place in various screens, I do not think this that displaying it in a failed login URL is causing extra exposure.
On my team's Mantis server, we disallow anonymous access, so usernames should only be visible to authenticated users.
The username is provided in the URL as a convenience to the user, so they do not have to type it again after a failed login.
The only option I can think of to satisfy your requirement, would be to only add username=xxx to the query, if anonymous login is enabled (or to never add it at all).
Quite frankly I see the risk of such exposure as negligible and I don't really think it's worth implementing that in core. You're welcome to customize your instance as indicated above.
|2019-11-26 21:39||anfrind||New Issue|
|2019-11-27 03:17||dregad||Note Added: 0063149|
|2019-11-27 12:46||anfrind||Note Added: 0063150|
|2019-11-28 13:19||dregad||Assigned To||=> dregad|
|2019-11-28 13:19||dregad||Status||new => resolved|
|2019-11-28 13:19||dregad||Resolution||open => won't fix|
|2019-11-28 13:19||dregad||Note Added: 0063158|
|2019-12-09 15:04||atrol||Status||resolved => closed|