View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004921||mantisbt||security||public||2004-11-29 09:20||2004-12-11 03:01|
|Fixed in Version||0.19.2|
|Summary||0004921: Webmaster email address is exposed to SPAM in html_api.php|
The file html_api.php includes the following:
echo "\t", '<address>', config_get( 'webmast\
<i>Robert Fischer /
Another way I've seen to stay secure would be to eliminate the email addresses altogether. Just include a link that says "mail webmaster". When the user presses that link, he gest a box in which he can type a message to the webmaster. Of course, this kind of stuff could be spammed with enough effort as well.
Until this security problem is fixed, I have simply commented out the offending line in html_api.php
|Tags||No tags attached.|
I suggest that we replace the mailto links + this email with a link to a page that discloses the email addresses. This page would should a captcha image. Once it is confirmed, the user is presented with the action email address which is also hyperlinked using the mailto.
I suppose there are three ways to protect the webmaster's address (I'll summarize here):
I can think of pros and cons of all three:
About "3 Contra"
The webmaster email is now only shown if the current user is not the anonymous user.
Your idea sounded good though, Victor.
|2004-11-29 09:20||citibob||New Issue|
|2004-11-29 10:42||jlatour||Note Added: 0008441|
|2004-11-29 10:42||jlatour||Status||new => acknowledged|
|2004-11-29 10:42||jlatour||Relationship added||child of 0004818|
||Relationship added||related to 0003909|
||Note Added: 0008446|
|2004-11-30 05:21||vboctor||Note Added: 0008451|
|2004-11-30 09:26||citibob||Note Added: 0008458|
||Note Added: 0008461|
|2004-12-04 18:56||vboctor||Assigned To||=> vboctor|
|2004-12-04 19:30||vboctor||Status||acknowledged => resolved|
|2004-12-04 19:30||vboctor||Fixed in Version||=> 0.19.2|
|2004-12-04 19:30||vboctor||Resolution||open => fixed|
|2004-12-04 19:30||vboctor||Note Added: 0008508|
|2004-12-05 11:37||jlatour||Note Added: 0008516|
|2004-12-11 03:01||vboctor||Status||resolved => closed|
|2005-04-07 08:17||thraxisp||Relationship replaced||has duplicate 0003909|