View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0018049 | phpList 3 application | Security | public | 14-03-16 22:02 | 16-01-19 09:46 |
Reporter | gbriere | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Platform | Linux | OS | Debian | OS Version | stretch |
Product Version | 3.2.4 | ||||
Fixed in Version | 3.2.5 | ||||
Summary | 0018049: Reset password links are hard coded to HTTP | ||||
Description | When a mail is send with a link to reset password (edit admin or forgotten password) the link is hard coded with HTTP rather than HTTPS wich is a security issue and the link can't work if the phplist web site is only HTTPS. | ||||
Steps To Reproduce | Update an administrator with update password option selected or click "send password" on home page : The link received is : http://<url/list>/admin/?page=login&token=XXXX | ||||
Tags | No tags attached. | ||||
|
yes, lib.php line 310 has it hard coded. it should use ADMIN_PROTOCOL https://resources.phplist.com/system/config/admin_protocol |