Opened 16 months ago

Last modified 12 months ago

#5466 new defect

Security - wiki sign up email confirmation uses http links

Reported by: openstreetmap.org@… Owned by: openstreetmap@…
Priority: minor Milestone:
Component: wiki Version:
Keywords: Security, email Cc: tacsipacsi

Description

New user signs up to edit the wiki.

Confirmation email sent to their email address.

Email contains links to http://wiki.openstreetmap.org rather than the https version.

While I'm sure the website automatically redirects, a malicious MITM could redirect the user before that happens.

Hopefully a simple configuration change.

Attachments (1)

Screenshot_20170819-175941.jpg (121.6 KB) - added by openstreetmap.org@… 16 months ago.
Screenshot of the confirmation email

Download all attachments as: .zip

Change History (2)

Changed 16 months ago by openstreetmap.org@…

Screenshot of the confirmation email

comment:1 Changed 12 months ago by tacsipacsi

  • Cc tacsipacsi added

The wiki does not redirect, at least not for watchlist notification emails. (Unless you check the appropriate option in your preferences, but a new user won’t have that checked.) $wgServer should be changed from http://wiki.openstreetmap.org to https://wiki.openstreetmap.org in LocalSettings.php (I hope).

Note: See TracTickets for help on using tickets.