0004921: Webmaster email address is exposed to SPAM in html_api.php - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0004921	mantisbt	security	public	2004-11-29 09:20	2004-12-11 03:01

Reporter	citibob	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	0.19.1
Fixed in Version	0.19.2

Summary	0004921: Webmaster email address is exposed to SPAM in html_api.php
Description	The file html_api.php includes the following: echo "\t", '<address><a href="mailto:', config_get( 'webmast\ er_email' ), '">', config_get( 'webmaster_email' ), '</a></address>', "\n"; In today's environment, this will unfortunately lead to the webmaster being SPAMMed. I have found an effective replacement to this is to use Javascript to write out the appropriate HTML on the client. For example: Robert Fischer / <script language="Javascript" type="text/javascript"> <!-- function em_write () { var address = Array('r', 'f', 'i', 's', 'c', 'h', 'e', 'r'); var domain = Array('r', 'i', 'c', 's', '.', 'b', 'w', 'h', '.', 'h', 'a', 'r', 'v', 'a', 'r', 'd', '.', 'e', 'd', 'u'); var sgn = "@"; var addy = address.join("") + sgn + domain.join(""); document.writeln('<a href="mailto:' + addy + '">' + addy + '</a> '); } // end func `em_write();` // --> </script> This is effective at protecting email addresses from SPAM because Javascript programs are not guaranteed to halt; very few if any email address harvesters can afford to run the Javascript they find in the pages. Mantis should generate this kind of Javascript in html_api.php, instead of simply writing out the address. As an option for "additional" security, one might consider that the ultimate address written out would not be in standard email format. Another way I've seen to stay secure would be to eliminate the email addresses altogether. Just include a link that says "mail webmaster". When the user presses that link, he gest a box in which he can type a message to the webmaster. Of course, this kind of stuff could be spammed with enough effort as well. Until this security problem is fixed, I have simply commented out the offending line in html_api.php
Tags	No tags attached.

jlatour 2004-11-29 10:42 reporter ~0008441	Agreed, although I think we need to consider which approach we want to take here. Also, we will have to consider the installation's preference on using Javascript.

~~Wanderer~~ 2004-11-29 22:22 developer ~0008446	I tend to agree, and from other side - you can write now encoded webmaster e-mail in config, as I done for my sites (in easiest form, without Javascript)

vboctor 2004-11-30 05:21 manager ~0008451	I suggest that we replace the mailto links + this email with a link to a page that discloses the email addresses. This page would should a captcha image. Once it is confirmed, the user is presented with the action email address which is also hyperlinked using the mailto.

citibob 2004-11-30 09:26 reporter ~0008458	On Javascript: I had noticed earlier a lot of Javascript in Mantis. But now I see also, there's a user's installation preference on using Javascript. I agree, doing things without Javascript is a good idea. I suppose there are three ways to protect the webmaster's address (I'll summarize here): Use Javascript as per example above. Use "mail webmaster" form. Obfuscate email address in human-readable format. I can think of pros and cons of all three: Pro: easy for end users. Con: requires Javascript. Pro: No Javascript required, easy (sort of) for end users Con: requires users type in their email address correctly. Power users hate it. Pro: Technically simple Con: Could be too hard for some end users

~~Wanderer~~ 2004-11-30 10:49 developer ~0008461	About "3 Contra" I can't recall, where I found small standalone program "E-mail cloaker", in which all done automagically - you write e-mail and will get obfuscated by HTML-entities mailto (easy form) or ready to use javascript (where more strong, than in your example protection used, try this example :-) ) <script language="JavaScript"> <!-- document.write ('<a href="mai&0000001') document.write ('08;to:badger') document.write ('@') document.write ('lair.pp') document.write ('.') document.write ('ru">') document.write ('badger @ lair.pp.ru</a>') // --> </script>

vboctor 2004-12-04 19:30 manager ~0008508	The webmaster email is now only shown if the current user is not the anonymous user.

jlatour 2004-12-05 11:37 reporter ~0008516	Your idea sounded good though, Victor.