View Issue Details

IDProjectCategoryView StatusLast Update
0026330mantisbtdocumentationpublic2019-11-06 03:30
Reporteranfrind Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status confirmedResolutionopen 
Summary0026330: Configuration option to disable RSS
Description

For a user to subscribe to their personal RSS feed, their RSS reader must submit a GET request that includes their username and a unique key. This may be a security risk, as the username and key could be inadvertently saved to server logs, proxy logs, and if HTTPS is not used, they may be visible to network monitoring tools (e.g. Wireshark).

It would be nice if there were a configuration option to disable RSS entirely, thereby eliminating it as a potential attack vector.

TagsNo tags attached.

Activities

atrol

atrol

2019-11-06 03:29

developer   ~0063057

There is configuration option $g_rss_enabled for it
https://github.com/mantisbt/mantisbt/blob/release-2.22.1/config_defaults_inc.php#L3775

Like some more options, it's not docummented in Admin Guide.
Therefore it's recommend to check config_defaults_inc to get a list of all available options.