0004334: No filters applied to the content/title of the bug

ID	Project	Category	View Status	Date Submitted	Last Update
0004334	mantisbt	bugtracker	public	2004-08-16 07:55	2014-10-14 16:21

Reporter	joxeanpiti	Assigned To	grangeway
Priority	normal	Severity	feature	Reproducibility	always
Status	closed	Resolution	no change required

Summary	0004334: No filters applied to the content/title of the bug
Description	Is quite easy to make a simple script that register too many bugs with, for example, the following estructure : Subject: BUY VIAGRA NOW ONLY FOR $20.00!!!!! Description: You can but viagra for only $20.00! <a href="http://fucking.site">Buy Now!!!</a> Because no filters are applied an spamer? (or any other fucking person) can use our favourite bugtracker system to insert propaganda.
Additional Information	I think that MySlash uses filters to deny this practice, but this is hard to re-code in PHP, and an spamer (or any other fucking person) can experiment with other methods to insert here propaganda. In my opinion the best workaround is <a href="http://www.nogajski.de/horst/php/captcha/index.php">this</a>.
Tags	No tags attached.

sgrund 2004-08-16 08:24 reporter ~0007011	I don't see this: if it's so simple to write a script for automatic bug creation, why isn't it done yet (there are some requests to allow creation of new issues via mail) Second: AFAIK its only allowed for registered users to add issues (at least, you can restrict acces via prefs to this behavior)

joxeanpiti 2004-08-16 08:49 reporter ~0007012 Last edited: 2004-08-16 08:54	I don't see this: if it's so simple to write a script for automatic bug creation, why isn't it done yet (there are some requests to allow creation of new issues via mail) If do you want I can create this. I need 1 hour at least. Second: AFAIK its only allowed for registered users to add issues (at least, you can restrict acces via prefs to this behavior) I found the same "feature" in bugzilla and I get the same response and more data. Bugzilla guys says that we can disable/remove the account that is sending the propaganda. Yes, of course. But, if we create a robot that : 1.- Creates a new random user that doesn't exists. 2.- Reads the e-mail and logins with the username and the password supplied in the e-mail. 3.- Sends 100 bugs that are propaganda. The solution may be deny user registration with e-mails from certain domains? From certain e-mails? I think that deny from certain domains is a good way, but..., if any person creates a robot that uses any public e-mail services, such as Yahoo? Ok, block from certain complete e-mail address. Yes? and if an spamer has 200 e-mail accounts? and if an spamer can create whatever he want e-mail accounts? Finally I will create a simple script that makes this, if do you want :) NOTE: I think that this bug should be private. editada el: 08-16-04 08:54

proffe 2005-01-24 14:39 reporter ~0009074	With captcha implemented, maybe this issue can be considered resolved?

grangeway 2014-10-05 05:53 reporter ~0041356	After 10 years, and given there's a signup captcha, I think we can mark this as resolved for now at least - as it's not grown into a big problem ;) One would need to add some method of ratelimiting or filtering, which may be best done via a plugin as i'm sure different people would need to filter/limit different 'problems'. We are resolving this issue as "no change required", because it was reported against an old version of MantisBT which is no longer supported. We recommend that you upgrade to the latest stable version [1]; if after doing so the problem still exists, do not hesitate to reopen the issue. [1] http://www.mantisbt.org/download.php

View Issue Details

Activities