View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004921 | mantisbt | security | public | 2004-11-29 09:20 | 2004-12-11 03:01 |
Reporter | citibob | Assigned To | vboctor | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 0.19.1 | ||||
Fixed in Version | 0.19.2 | ||||
Summary | 0004921: Webmaster email address is exposed to SPAM in html_api.php | ||||
Description | The file html_api.php includes the following: echo "\t", '<address><a href="mailto:', config_get( 'webmast\ In today's environment, this will unfortunately lead to the webmaster being SPAMMed. I have found an effective replacement to this is to use Javascript to write out the appropriate HTML on the client. For example: Robert Fischer /
// --> This is effective at protecting email addresses from SPAM because Javascript programs are not guaranteed to halt; very few if any email address harvesters can afford to run the Javascript they find in the pages. Mantis should generate this kind of Javascript in html_api.php, instead of simply writing out the address. As an option for "additional" security, one might consider that the ultimate address written out would not be in standard email format. Another way I've seen to stay secure would be to eliminate the email addresses altogether. Just include a link that says "mail webmaster". When the user presses that link, he gest a box in which he can type a message to the webmaster. Of course, this kind of stuff could be spammed with enough effort as well. Until this security problem is fixed, I have simply commented out the offending line in html_api.php | ||||
Tags | No tags attached. | ||||
Agreed, although I think we need to consider which approach we want to take here. Also, we will have to consider the installation's preference on using Javascript. |
|
I tend to agree, and from other side - you can write now encoded webmaster e-mail in config, as I done for my sites (in easiest form, without Javascript) |
|
I suggest that we replace the mailto links + this email with a link to a page that discloses the email addresses. This page would should a captcha image. Once it is confirmed, the user is presented with the action email address which is also hyperlinked using the mailto. |
|
On Javascript: I had noticed earlier a lot of Javascript in Mantis. But now I see also, there's a user's installation preference on using Javascript. I agree, doing things without Javascript is a good idea. I suppose there are three ways to protect the webmaster's address (I'll summarize here):
I can think of pros and cons of all three:
|
|
About "3 Contra" <script language="JavaScript"> <!-- |
|
The webmaster email is now only shown if the current user is not the anonymous user. |
|
Your idea sounded good though, Victor. |
|