View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0018049 | phpList 3 application | Security | public | 14-03-16 22:02 | 16-01-19 09:46 |
| Reporter | gbriere | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Platform | Linux | OS | Debian | OS Version | stretch |
| Product Version | 3.2.4 | ||||
| Fixed in Version | 3.2.5 | ||||
| Summary | 0018049: Reset password links are hard coded to HTTP | ||||
| Description | When a mail is send with a link to reset password (edit admin or forgotten password) the link is hard coded with HTTP rather than HTTPS wich is a security issue and the link can't work if the phplist web site is only HTTPS. | ||||
| Steps To Reproduce | Update an administrator with update password option selected or click "send password" on home page : The link received is : http://<url/list>/admin/?page=login&token=XXXX | ||||
| Tags | No tags attached. | ||||
|
|
yes, lib.php line 310 has it hard coded. it should use ADMIN_PROTOCOL https://resources.phplist.com/system/config/admin_protocol |
