NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1

View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0018049phplist applicationSecuritypublic14-03-16 22:0216-04-16 14:24
PrioritynormalSeveritymajorReproducibilityhave not tried
PlatformLinuxOSDebianOS Versionstretch
Product Version3.2.4 
Target Versionnext patchFixed in Version3.2.5 
Summary0018049: Reset password links are hard coded to HTTP
DescriptionWhen a mail is send with a link to reset password (edit admin or forgotten password) the link is hard coded with HTTP rather than HTTPS wich is a security issue and the link can't work if the phplist web site is only HTTPS.
Steps To ReproduceUpdate an administrator with update password option selected or click "send password" on home page : The link received is :
http://<url/list>/admin/?page=login&token=XXXX [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
michiel (manager)
14-03-16 22:12

yes, lib.php line 310 has it hard coded.

it should use ADMIN_PROTOCOL [^]

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker