Mantis Bug Tracker - Forums

I got a security report on our forum because a malicious actor in the sign up form can enter text like:

"myfishingwebsite.com" as the user name and some potential victim as the email.

With some e-mail clients, like Gmail, anything that looks like a URL is automatically converted to a clickable link.

It is extremely stupid for Gmail to convert random text to URLs simply because it looks like URL.

But my question is this a vulnerability in MantisBT because some email client designers are idiots?

MantisBT is sending plain text (as opposd to HTML) email, so I agree to your statement concerning email clients.
Even for HTML email it's questionable to convert such strings to links.

You could restrict user names by setting MantisBT configuration option

I propose that $s_new_account_greeting be changed for all languages and stop including the username.

It is not needed since the username appears at the top of the box when the verify link is clicked.

RandyA wrote: 19 Nov 2025, 15:17 I propose that $s_new_account_greeting be changed for all languages and stop including the username.

That would fix this single workflow.
I agree that this is a very important workflow in terms of security (maybe even the most important one), but there are a lot more workflows where the username is sent via email.

It is only an issue when a user can trigger an email sent to a email they have not proven that they can receive.
So the initial account creation and changing the email from the user profile page.

In other contexts, it probably does not matter. In some cases it has to be sent such as sending the 'forgot username' email.

RandyA wrote: 20 Nov 2025, 22:29 In other contexts, it probably does not matter.

If you create an issue and user myfishingwebsite.com adds a note to it, you will get an email notification containing user name myfishingwebsite.com.