Closed
Bug 253602
Opened 20 years ago
Closed 20 years ago
Emails are displayed and available to spambots and other abuse, potential DOS against developers
Categories
(bugzilla.mozilla.org :: General, defect)
bugzilla.mozilla.org
General
Tracking
()
RESOLVED
DUPLICATE
of bug 215439
People
(Reporter: MagicFab, Assigned: myk)
Details
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 PROBLEM: Emails of bug reporters, authors, etc. are exposed and available for SPAMbots to grab and for other forms of online abuse. SOLUTION: Upgrade to version 2.18 of Bugzilla when it's released. Contribute code to Bugzilla so future Mozilla developers and contributors emails have better protection. According to the release notes of upcoming 2.18 version of Bugzilla: http://www.bugzilla.org/releases/2.18/release-notes.html Email Address Munging --------------------- The fact that raw email addresses are displayed in Bugzilla makes it trivial for bots that spamharvest to spider through Bugzilla, in particular, through Bugzilla's buglists. This change adds HTML obfuscation of email addresses as they appear in the Bugzilla web pages. Reproducible: Always Steps to Reproduce: 1. Visit any bug report at bugzilla.mozilla.org 2. Grab bug reporter's, commenters, etc. email addresses Actual Results: Email addresses are available in plain text for anyone to copy / grab / abuse. Expected Results: An email should only be sent via an online form by default for authenticated users, if at all permitted. Sourceforge's methods could also provide inspiration for this. If custom code is created for this, perhaps it could/should be contributed to Bugzilla. This could be used to provoke a major DOS attack by mass mailing every (or selected) Mozilla developer and blocking their email accounts, potentially delaying or stopping upcoming releases.
Comment 1•20 years ago
|
||
(In reply to comment #0) > SOLUTION: Upgrade to version 2.18 of Bugzilla when it's released. Contribute > code to Bugzilla so future Mozilla developers and contributors emails have > better protection. > > According to the release notes of upcoming 2.18 version of Bugzilla: > http://www.bugzilla.org/releases/2.18/release-notes.html > > Email Address Munging bugzilla.mozilla.org is already running this code. It was introduced in 2.17.6. The HTML of the email addresses are obfuscated, and don't look like emails in the page source. This trick worked for a while, but the spammers are starting to get wise to it. There are other tricks in the works to stave them off for a while. Bug 215439 is the closest to what you're proposing here. *** This bug has been marked as a duplicate of 215439 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•