View Issue Details

IDProjectCategoryView StatusLast Update
0018049phplist applicationSecuritypublic16-04-16 13:24
Reportergbriere 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status resolvedResolutionfixed 
PlatformLinuxOSDebianOS Versionstretch
Product Version3.2.4 
Target Versionnext patchFixed in Version3.2.5 
Summary0018049: Reset password links are hard coded to HTTP
DescriptionWhen a mail is send with a link to reset password (edit admin or forgotten password) the link is hard coded with HTTP rather than HTTPS wich is a security issue and the link can't work if the phplist web site is only HTTPS.
Steps To ReproduceUpdate an administrator with update password option selected or click "send password" on home page : The link received is :
http://<url/list>/admin/?page=login&token=XXXX
TagsNo tags attached.

Activities

michiel

14-03-16 22:12

manager   ~0057567


yes, lib.php line 310 has it hard coded.

it should use ADMIN_PROTOCOL

https://resources.phplist.com/system/config/admin_protocol