Opened 16 months ago

Last modified 12 months ago

#5466 new defect

Security - wiki sign up email confirmation uses http links

Reported by:… Owned by: openstreetmap@…
Priority: minor Milestone:
Component: wiki Version:
Keywords: Security, email Cc: tacsipacsi


New user signs up to edit the wiki.

Confirmation email sent to their email address.

Email contains links to rather than the https version.

While I'm sure the website automatically redirects, a malicious MITM could redirect the user before that happens.

Hopefully a simple configuration change.

Attachments (1)

Screenshot_20170819-175941.jpg (121.6 KB) - added by… 16 months ago.
Screenshot of the confirmation email

Download all attachments as: .zip

Change History (2)

Changed 16 months ago by…

Screenshot of the confirmation email

comment:1 Changed 12 months ago by tacsipacsi

  • Cc tacsipacsi added

The wiki does not redirect, at least not for watchlist notification emails. (Unless you check the appropriate option in your preferences, but a new user won’t have that checked.) $wgServer should be changed from to in LocalSettings.php (I hope).

Note: See TracTickets for help on using tickets.