View Issue Details

IDProjectCategoryView StatusLast Update
0004921mantisbtsecuritypublic2004-12-11 03:01
Reportercitibob Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version0.19.1 
Fixed in Version0.19.2 
Summary0004921: Webmaster email address is exposed to SPAM in html_api.php
Description

The file html_api.php includes the following:

echo "\t", '<address>', config_get( 'webmast\
er_email' ), '</address>', "\n";

In today's environment, this will unfortunately lead to the webmaster being SPAMMed. I have found an effective replacement to this is to use Javascript to write out the appropriate HTML on the client. For example:

<i>Robert Fischer /
<script language="Javascript" type="text/javascript">
<!--
function em_write () {
var address = Array('r', 'f', 'i', 's', 'c', 'h', 'e', 'r');
var domain = Array('r', 'i', 'c', 's', '.', 'b', 'w', 'h', '.',
'h', 'a', 'r', 'v', 'a', 'r',
'd', '.', 'e', 'd', 'u');
var sgn = "@";
var addy = address.join("") + sgn + domain.join("");
document.writeln('' + addy + '
');
} // end func

    em_write();

// -->
</script></i><br>

This is effective at protecting email addresses from SPAM because Javascript programs are not guaranteed to halt; very few if any email address harvesters can afford to run the Javascript they find in the pages.

Mantis should generate this kind of Javascript in html_api.php, instead of simply writing out the address. As an option for "additional" security, one might consider that the ultimate address written out would not be in standard email format.

Another way I've seen to stay secure would be to eliminate the email addresses altogether. Just include a link that says "mail webmaster". When the user presses that link, he gest a box in which he can type a message to the webmaster. Of course, this kind of stuff could be spammed with enough effort as well.

Until this security problem is fixed, I have simply commented out the offending line in html_api.php

TagsNo tags attached.

Relationships

has duplicate 0003909 closedthraxisp Small aestetical and antispam improvements in html_footer() func of html_api 
child of 0004818 closedvboctor Mantis 0.19.2 release 

Activities

jlatour

jlatour

2004-11-29 10:42

reporter   ~0008441

Agreed, although I think we need to consider which approach we want to take here. Also, we will have to consider the installation's preference on using Javascript.

Wanderer

Wanderer

2004-11-29 22:22

developer   ~0008446

I tend to agree, and from other side - you can write now encoded webmaster e-mail in config, as I done for my sites (in easiest form, without Javascript)

vboctor

vboctor

2004-11-30 05:21

manager   ~0008451

I suggest that we replace the mailto links + this email with a link to a page that discloses the email addresses. This page would should a captcha image. Once it is confirmed, the user is presented with the action email address which is also hyperlinked using the mailto.

citibob

citibob

2004-11-30 09:26

reporter   ~0008458

On Javascript: I had noticed earlier a lot of Javascript in Mantis. But now I see also, there's a user's installation preference on using Javascript. I agree, doing things without Javascript is a good idea.

I suppose there are three ways to protect the webmaster's address (I'll summarize here):

  1. Use Javascript as per example above.
  2. Use "mail webmaster" form.
  3. Obfuscate email address in human-readable format.

I can think of pros and cons of all three:

  1. Pro: easy for end users.
    Con: requires Javascript.
  2. Pro: No Javascript required, easy (sort of) for end users
    Con: requires users type in their email address correctly. Power users hate it.
  3. Pro: Technically simple
    Con: Could be too hard for some end users
Wanderer

Wanderer

2004-11-30 10:49

developer   ~0008461

About "3 Contra"
I can't recall, where I found small standalone program "E-mail cloaker", in which all done automagically - you write e-mail and will get obfuscated by HTML-entities mailto (easy form) or ready to use javascript (where more strong, than in your example protection used, try this example :-) )

<script language="JavaScript"> <!--
document.write ('mai&0000001')
document.write ('08;to:badger')
document.write ('@')
document.write ('lair.pp')
document.write ('.')
document.write ('ru')
// -->
</script>

vboctor

vboctor

2004-12-04 19:30

manager   ~0008508

The webmaster email is now only shown if the current user is not the anonymous user.

jlatour

jlatour

2004-12-05 11:37

reporter   ~0008516

Your idea sounded good though, Victor.

Issue History

Date Modified Username Field Change
2004-11-29 09:20 citibob New Issue
2004-11-29 10:42 jlatour Note Added: 0008441
2004-11-29 10:42 jlatour Status new => acknowledged
2004-11-29 10:42 jlatour Relationship added child of 0004818
2004-11-29 22:18 Wanderer Relationship added related to 0003909
2004-11-29 22:22 Wanderer Note Added: 0008446
2004-11-30 05:21 vboctor Note Added: 0008451
2004-11-30 09:26 citibob Note Added: 0008458
2004-11-30 10:49 Wanderer Note Added: 0008461
2004-12-04 18:56 vboctor Assigned To => vboctor
2004-12-04 19:30 vboctor Status acknowledged => resolved
2004-12-04 19:30 vboctor Fixed in Version => 0.19.2
2004-12-04 19:30 vboctor Resolution open => fixed
2004-12-04 19:30 vboctor Note Added: 0008508
2004-12-05 11:37 jlatour Note Added: 0008516
2004-12-11 03:01 vboctor Status resolved => closed
2005-04-07 08:17 thraxisp Relationship replaced has duplicate 0003909